CVE-2024-53354

Name of the Vulnerable Software and Affected Versions EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier

Description The issue allows remote authenticated attackers to execute arbitrary SQL commands. This can be achieved via various parameters to different API endpoints, including the user parameter to "/api/management/findfilterlist", the user or filter parameter to "/api/audit/findmetawatcher", and others. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For EasyVirt DCScope versions 8.6.0 and earlier, update to a version later than 8.6.0. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version later than 1.3.0. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/api/management/findfilterlist", "/api/audit/findmetawatcher", and others, until a patch is available. Avoid using the vulnerable parameters, such as user, filter, login, is local, is ldap, is openid, role, TIMEAGO, IDENTIFIER, USER, NAME, COST, VM COST, VM, HOST, STORAGE, and timeago, in the affected API endpoints until the issue is resolved.