CVE-2024-0949

Description

Improper Access Control, Missing Authorization, Incorrect Authorization, Incorrect Permission Assignment for Critical Resource, Missing Authentication, Weak Authentication, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Talya Informatics Elektraweb allows Exploiting Incorrectly Configured Access Control Security Levels, Manipulating Web Input to File System Calls, Embedding Scripts within Scripts, Malicious Logic Insertion, Modification of Windows Service Configuration, Malicious Root Certificate, Intent Spoof, WebView Exposure, Data Injected During Configuration, Incomplete Data Deletion in a Multi-Tenant Environment, Install New Service, Modify Existing Service, Install Rootkit, Replace File Extension Handlers, Replace Trusted Executable, Modify Shared File, Add Malicious File to Shared Webroot, Run Software at Logon, Disable Security Software.This issue affects Elektraweb: before v17.0.68.

Reserved 2024-01-26 | Published 2024-06-27 | Updated 2024-08-01 | Assigner TR-CERT

Problem types

CWE-284 Improper Access Control

CWE-862 Missing Authorization

CWE-863 Incorrect Authorization

CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-306 Missing Authentication

CWE-1390 Weak Authentication

CWE-923 Improper Restriction of Communication Channel to Intended Endpoints

Product status

Default status
unaffected

Any version before v17.0.68
affected

Credits

Yusuf Kamil ÇAVUŞOĞLU finder

References

www.usom.gov.tr/bildirim/tr-24-0808

cve.org (CVE-2024-0949)

nvd.nist.gov (CVE-2024-0949)

Download JSON