CVE-2024-3904

Published: Jul 4, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp (Secondary)

Description

Incorrect Default Permissions vulnerability in Smart Device Communication Gateway preinstalled on MELIPC Series MI5122-VW firmware versions "05" to "07" allows a local attacker to execute arbitrary code by saving a malicious file to a specific folder. As a result, the attacker may disclose, tamper with, destroy or delete information in the product, or cause a denial-of-service (DoS) condition on the product.

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (6)

https://jvn.jp/vu/JVNVU91215350/index.html

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-02

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-003_en.pdf

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

https://jvn.jp/vu/JVNVU91215350/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-02

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-003_en.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.