Multiple vulnerabilities in Synetics idoit pro
Posted date 12/09/2024
Importance
4 - High
Affected Resources
- Idoit pro, 28 version.
Description
INCIBE has coordinated the publication of 2 vulnerabilities: 1 of high severity and 1 of medium severity, which affect version 28 of idoit pro of Synetics, a tool for IT infrastructure management, and which have been discovered by Adriá Bonilla Martin and Héctor de armas.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2024-8749: 8.8 | CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-89.
- CVE-2024-8750: 5.4 | CVSS:3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N | CWE-79.
Solution
The vulnerability has been fixed in idoit pro version 32.
Detail
- CVE-2024-8749: SQL injection vulnerability in idoit pro version 28. This vulnerability could allow an attacker to send a specially crafted query to the ID parameter in /var/www/html/src/classes/modules/api/model/cmdb/isys_api_model_cmdb_objects_by_relation.class.php and retrieve all the information stored in the database.
- CVE-2024-8750: Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view).
References list
Etiquetas
