CVE-2024-53357

Name of the Vulnerable Software and Affected Versions EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier

Description The issue allows remote authenticated attackers with low privileges to perform various actions, including adding admin users, modifying users, deleting users, getting users, adding root groups, modifying groups, deleting groups, getting groups, adding admin roles, modifying roles, deleting roles, and getting roles. This is achieved through SQL injection vulnerabilities in several API endpoints, such as /api/user/addalias, /api/user/updatealias, /api/user/delalias, /api/user/aliases, /api/user/adduser, /api/user/updateuser, /api/user/deluser, /api/user/users, /api/user/addrole, /api/user/updaterole, /api/user/delrole, and /api/user/roles. Additionally, the AES encryption keys used to encrypt passwords are not stored securely.

Recommendations For EasyVirt DCScope versions 8.6.0 and earlier, update to a version that fixes the SQL injection vulnerabilities and securely stores AES encryption keys. For EasyVirt CO2Scope versions 1.3.0 and earlier, update to a version that fixes the SQL injection vulnerabilities and securely stores AES encryption keys. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Restrict access to the /api/user module to minimize the risk of exploitation. Avoid using the vulnerable API endpoints in the affected versions until the issue is resolved.