CVE-2024-3980 CRITICAL

Published: 2024-08-27 | Last Modified: 2024-10-30 | Status: Analyzed

Description

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

Additional Descriptions (1)

El producto permite que el usuario controle o influya en las rutas o nombres de archivos que se utilizan en las operaciones del sistema de archivos, lo que permite al atacante acceder o modificar archivos del sistema u otros archivos que son críticos para la aplicación.

CVSS Metrics

Base Score: 8.8 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 5.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-22
[email protected]	Primary	en CWE-22

Affected Products

Vendor	Product	Version	Update	Type
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9cc81af00>	Application
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9b0b3b180>	Application
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9cd0db7c0>	Application
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9cc81a780>	Application
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9cc81bbc0>	Application
hitachienergy	microscada_pro_sys600	9.4	<built-in method update of dict object at 0x72a9cc81af40>	Application
hitachienergy	microscada_x_sys600	*	<built-in method update of dict object at 0x72a9b0aa54c0>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_1::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf1::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf2::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf3::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf4::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf5::::::`
Yes	`cpe:2.3:a:hitachienergy:microscada_x_sys600::::::::`

References

https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch
Source: [email protected]

Vendor Advisory