CRITICAL🇵🇱 Wersja polska

CVE-2024-56973

CVSS 9.8v3.1pub. 2025-02-14upd. 2026-04-15

Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker to execute arbitrary code via the source and filename parameters to the ProcessUploadFromURL.jsp component.

🤖 AI Analysis
How it works

An attacker can send a crafted network request to the ProcessUploadFromURL.jsp component without authentication, manipulating the 'source' and 'filename' parameters. Insufficient permissions and lack of validation of these parameters allow for the delivery and execution of malicious code on the server side. As a result, remote code execution (RCE) is possible without any user interaction.

Impact

An attacker can gain full control over the vulnerable system, including access to confidential data, the ability to modify or delete data, and potentially further movement within the internal network (lateral movement).

Mitigation & patch

Alvaria Unified IP Unified Director should be updated to version 7.2SP2 or newer. Until the patch is deployed, it is recommended to restrict network access to the ProcessUploadFromURL.jsp component through firewall rules or other access control mechanisms.

Who is affected

Alvaria Unified IP Unified Director in versions prior to 7.2SP2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References