CVE-2024-39717

Published: Aug 22, 2024Modified: Oct 30, 2025CISA KEV

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.

Affected (5)

Products: Versa Networks: Versa Director

Versa Networks

1 product

Versa Director

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Versa Networks Versa Director	Version 21.2.2
Versa Networks Versa Director	Version 21.2.3
Versa Networks Versa Director	Version 22.1.1
Versa Networks Versa Director	Version 22.1.2
Versa Networks Versa Director	Version 22.1.3

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

Source: support@hackerone.com

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-39717

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.