Multiple vulnerabilities in Hyperion Web Server

Posted date 25/04/2024
Identificador
INCIBE-2024-0208
Importance
3 - Medium
Affected Resources
  • Hyperion Web Server, 2.0.15 version.
Description

INCIBE has coordinated the publication of 2 medium severity vulnerabilities affecting Hyperion, an open source ambient light software, version 2.0.15 which have been discovered by Raúl Fuentes Ferrer.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-4174: 5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | CWE-79 
  • CVE-2024-4175: 5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | CWE-20
Solution

The vulnerabilities have been fixed in the latest version. The specific changes can be found in the link in the references.

Detail
  • CVE-2024-4174: Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affecting version 2.0.15. This vulnerability could allow an attacker to execute malicious Javascript code on the client by injecting that code into the URL.

  • CVE-2024-4175: Unicode transformation vulnerability in Hyperion affecting version 2.0.15. This vulnerability could allow an attacker to send a malicious payload with Unicode characters that will be replaced by ASCII characters.