Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) user parameter to /api/management/findfilterlist; the (2) user or (3) filter parameter to /api/audit/findmetawatcher; the (4) user parameter to /api/audit/findmetaalert; the (5) user parameter to /api/management/ds; the (6) user or (7) filter parameter to /api/audit/findmetarunalert; the (7) user parameter to /api/management/findtimeview; the (8) user, (9) filter or (10) target parameter to /api/management/getihmsettings; the (11) user or (12) filter parameter to /api/management/elementstype; the (14) login, (15) user, (16) is_local, (17) is_ldap, or (18) is_openid parameter to /api/user/addalias; the (19) role parameter to /api/user/addrole; the (20) user or (21) filter parameter to /api/management/addtimeview; the (22) TIMEAGO, (23) IDENTIFIER, (24) USER, (25) NAME, or (26) COST parameter to /api/management/addtagcosts; the (27) USER, or (28) VM_COST parameter to /api/management/updategenericcpucost; the (29) VM, (30) HOST, or (31) STORAGE parameter to /api/management/updatecostinfo; the (32) user, (33) filter, or (34) timeago parameter to /api/management/addfilter; the (35) user parameter to /api/report/getreporthistory.
References
| Link | Resource |
|---|---|
| https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53354.md | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
23 May 2025, 15:39
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Easyvirt
Easyvirt dcscope Easyvirt co2scope |
|
| CPE | cpe:2.3:a:easyvirt:co2scope:*:*:*:*:*:*:*:* cpe:2.3:a:easyvirt:dcscope:*:*:*:*:*:*:*:* |
|
| References | () https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53354.md - Exploit, Third Party Advisory |
07 Feb 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) user parameter to /api/management/findfilterlist; the (2) user or (3) filter parameter to /api/audit/findmetawatcher; the (4) user parameter to /api/audit/findmetaalert; the (5) user parameter to /api/management/ds; the (6) user or (7) filter parameter to /api/audit/findmetarunalert; the (7) user parameter to /api/management/findtimeview; the (8) user, (9) filter or (10) target parameter to /api/management/getihmsettings; the (11) user or (12) filter parameter to /api/management/elementstype; the (14) login, (15) user, (16) is_local, (17) is_ldap, or (18) is_openid parameter to /api/user/addalias; the (19) role parameter to /api/user/addrole; the (20) user or (21) filter parameter to /api/management/addtimeview; the (22) TIMEAGO, (23) IDENTIFIER, (24) USER, (25) NAME, or (26) COST parameter to /api/management/addtagcosts; the (27) USER, or (28) VM_COST parameter to /api/management/updategenericcpucost; the (29) VM, (30) HOST, or (31) STORAGE parameter to /api/management/updatecostinfo; the (32) user, (33) filter, or (34) timeago parameter to /api/management/addfilter; the (35) user parameter to /api/report/getreporthistory. |
03 Feb 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| CWE | CWE-89 |
31 Jan 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-01-31 22:15
Updated : 2025-05-23 15:39
NVD link : CVE-2024-53354
Mitre link : CVE-2024-53354
CVE.ORG link : CVE-2024-53354
JSON object : View
Products Affected
easyvirt
- dcscope
- co2scope
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')