Multiple vulnerabilities in Open Automation Software OAS Platform
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-27201 CVE-2024-22178 CVE-2024-21870 CVE-2024-24976 |
| CWE-ID | CWE-20 CWE-73 CWE-130 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
OAS Platform Client/Desktop applications / Other client software |
| Vendor | Open Automation Software |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU88200
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27201
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the OAS Engine User Configuration functionality. A remote administrator can pass specially crafted input to the application and cause unexpected data in the configuration.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOAS Platform: 19.00.0057
External linkshttp://talosintelligence.com/vulnerability_reports/TALOS-2024-1949
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) External Control of File Name or Path
EUVDB-ID: #VU88203
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-22178
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to application allows an attacker to control path of the files within the OAS Engine Save Security Configuration functionality. A remote administrator can send a specially crafted HTTP request and create or overwrite arbitrary files on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOAS Platform: 19.00.0057
External linkshttp://talosintelligence.com/vulnerability_reports/TALOS-2024-1951
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) External Control of File Name or Path
EUVDB-ID: #VU88202
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21870
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to application allows an attacker to control path of the files within the OAS Engine Tags Configuration functionality. A remote administrator can send a specially crafted HTTP request and create or overwrite arbitrary files on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOAS Platform: 19.00.0057
External linkshttp://talosintelligence.com/vulnerability_reports/TALOS-2024-1950
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Handling of Length Parameter Inconsistency
EUVDB-ID: #VU88201
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-24976
CWE-ID:
CWE-130 - Improper Handling of Length Parameter Inconsistency
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of length parameter inconsistency in the OAS Engine File Data Source Configuration functionality. A remote administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOAS Platform: 19.00.0057
External linkshttp://talosintelligence.com/vulnerability_reports/TALOS-2024-1948
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
