CRITICAL🇵🇱 Wersja polska

CVE-2024-24525

CVSS 9.8v3.1pub. 2024-02-29upd. 2025-03-27

An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL.

🤖 AI Analysis
How it works

An attacker sends a specially crafted HTTP request containing a malicious payload in the infoid parameter of the URL. The application does not properly validate this value (CWE-94: improper neutralization of directives in dynamically generated code, CWE-233: improper handling of parameters), leading to interpretation of attacker-supplied code on the server side. The attack requires no authentication or user interaction and can be performed remotely over the network.

Impact

An attacker can gain full control over the application server — including confidentiality, integrity, and availability of all data — through remote code execution (RCE) with the privileges of the application process.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with the references. Until an update is available, it is recommended to restrict access to the application at the firewall level and monitor network traffic for suspicious requests containing non-standard values of the infoid parameter.

Who is affected

EpointWebBuilder versions 5.1.0-sp1, 5.2.1-sp1, 5.4.1, and 5.4.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Epoint Epointwebbuilder

    APP
    Epoint
    5.1.05.2.15.4.15.4.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References