CVE-2022-24562

Published: Jun 16, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

Affected (1)

Products: Iobit: Iotransfer

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Iobit Iotransfer	Version 4.3.1.1561

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (8)

http://iobit.com

Source: cve@mitre.org

ProductVendor Advisory

http://iotransfer.com

Source: cve@mitre.org

Broken Link

http://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d

Source: cve@mitre.org

http://iobit.com

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

http://iotransfer.com

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.