CVE-2024-20352

EPSS 0.27%
Published 03.04.2024 17:15:49
Last modified 07.05.2025 16:15:35
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a directory traversal attack, which could allow the attacker to perform arbitrary actions on an affected device. This vulnerability is due to insufficient protections for the web UI of an affected system. An attacker could exploit this vulnerability by sending crafted requests to the web UI. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user, such as accessing password or log files or uploading and deleting existing files from the system.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Emergency Responder Version < 12.5(1)su8b

Cisco ≫ Emergency Responder Version14

Cisco ≫ Emergency Responder Version14su1

Cisco ≫ Emergency Responder Version14su2

Cisco ≫ Emergency Responder Version14su3

Cisco ≫ Emergency Responder Version14su3a

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.5

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cem-csrf-suCmNjFr

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-20352

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-20352

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-20352

EUVD