1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Tibbo
- Equipment: AggreGate Network Manager
- Vulnerability: Unrestricted Upload of File with Dangerous Type
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Tibbo products are affected:
- Aggregate Network Manager: Versions 6.34.02 and prior
3.2 Vulnerability Overview
3.2.1 Unrestricted Upload of File with Dangerous Type CWE-434
There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.
CVE-2024-12700 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12700. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Taiwan