CVE-2024-28029

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12	Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:05

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 - Third Party Advisory, US Government Resource

17 Oct 2024, 19:15

Type	Values Removed	Values Added
CWE	~~CWE-285~~	CWE-602
Summary	~~(en) Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.~~	(en) Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.

25 Mar 2024, 16:06

Type	Values Removed	Values Added
First Time		Deltaww Deltaww diaenergie
CWE		NVD-CWE-Other
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 - Third Party Advisory, US Government Resource
CPE		cpe:2.3:a:deltaww:diaenergie::::::::

22 Mar 2024, 12:45

Type	Values Removed	Values Added
Summary		(es) Los privilegios no se verifican completamente en el lado del servidor, lo que puede ser abusado por un usuario con privilegios limitados para eludir la autorización y acceder a funciones privilegiadas.

21 Mar 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-21 22:15

Updated : 2024-11-21 09:05

NVD link : CVE-2024-28029

Mitre link : CVE-2024-28029

CVE.ORG link : CVE-2024-28029

JSON object : View

Products Affected

deltaww

diaenergie

CWE

CWE-602

Client-Side Enforcement of Server-Side Security

NVD-CWE-Other

{"id": "CVE-2024-28029", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-03-21T22:15:11.353", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-602"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality."}, {"lang": "es", "value": "Los privilegios no se verifican completamente en el lado del servidor, lo que puede ser abusado por un usuario con privilegios limitados para eludir la autorizaci\u00f3n y acceder a funciones privilegiadas."}], "lastModified": "2024-11-21T09:05:40.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AC96D25-8B44-4093-B30E-050C6F93A507", "versionEndExcluding": "1.10.00.005"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}

8.8 /10