CVE-2024-56131

Name of the Vulnerable Software and Affected Versions LoadMaster versions 7.2.55.0 through 7.2.60.1 LoadMaster versions 7.2.49.0 through 7.2.54.12 LoadMaster version 7.2.48.12 and all prior versions Multi-Tenant Hypervisor version 7.1.35.12 and all prior versions ECS versions prior to 7.2.60.1

Description The issue is related to improper input validation, allowing OS command injection by authenticated users. This can potentially lead to remote command execution and file downloads. The estimated number of affected devices is not specified, and there is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the possibility of injecting commands into the system through vulnerable parameters or variables, although specific API Endpoints or function names like checkPassword() or processTransaction() are not mentioned.

Recommendations For LoadMaster versions 7.2.55.0 through 7.2.60.1, upgrade to a version outside of this range to resolve the issue. For LoadMaster versions 7.2.49.0 through 7.2.54.12, upgrade to a version outside of this range to resolve the issue. For LoadMaster version 7.2.48.12 and all prior versions, upgrade to a version newer than 7.2.48.12 to resolve the issue. For Multi-Tenant Hypervisor version 7.1.35.12 and all prior versions, upgrade to a version newer than 7.1.35.12 to resolve the issue. For ECS versions prior to 7.2.60.1, upgrade to version 7.2.60.1 or newer to resolve the issue. As a temporary workaround, consider restricting access to vulnerable components or modules until a patch is available. Avoid using potentially vulnerable parameters or variables in API endpoints until the issue is resolved.