Improper access control vulnerability in Prodys Quantum Audio codec

Posted date 23/05/2024
Importance
5 - Critical
Affected Resources
  • Quantum Audio codec, 2.3.4t version.
Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting Prodys' Quantum Audio codec, a device that allows outdoor contributions over wireless networks, which has been discovered by Milan Duric and Jakob Pfister.

The vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-5168: CVSS v3.1: 9.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. | CWE-284.
Solution

The vendor attempted to fix the vulnerability in version 2.3.4t, limiting exploitation to a low-privileged attacker only. Finally, the vulnerability was fully fixed by the manufacturer in version 2.3.4w.

Detail

CVE-2024-5168: improper access control vulnerability in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely and execute arbitrary API requests against the web application.

References list