CVE-2024-26260

The functionality for synchronization in HGiga OAKlouds' certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters. This enables the execution of arbitrary code on the remote server without permission.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html	Third Party Advisory
https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hgiga:oaklouds-organization-2.0::::::::
	cpe:2.3:a:hgiga:oaklouds-organization-3.0::::::::
	cpe:2.3:a:hgiga:oaklouds-webbase-2.0::::::::
	cpe:2.3:a:hgiga:oaklouds-webbase-3.0::::::::

History

23 Jan 2025, 19:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hgiga:oaklouds-webbase-3.0:::::::: cpe:2.3:a:hgiga:oaklouds-organization-2.0:::::::: cpe:2.3:a:hgiga:oaklouds-organization-3.0:::::::: cpe:2.3:a:hgiga:oaklouds-webbase-2.0::::::::
References	~~() https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96 -~~	() https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96 - Third Party Advisory
References	~~() https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html -~~	() https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html - Third Party Advisory
First Time		Hgiga oaklouds-organization-3.0 Hgiga oaklouds-webbase-2.0 Hgiga oaklouds-organization-2.0 Hgiga oaklouds-webbase-3.0 Hgiga

Information

Published : 2024-02-15 03:15

Updated : 2025-01-23 19:55

NVD link : CVE-2024-26260

Mitre link : CVE-2024-26260

CVE.ORG link : CVE-2024-26260

JSON object : View

Products Affected

hgiga

oaklouds-organization-3.0
oaklouds-webbase-3.0
oaklouds-organization-2.0
oaklouds-webbase-2.0

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-26260", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-15T03:15:34.833", "references": [{"url": "https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.chtsecurity.com/news/e456f679-9091-4de4-8f78-9262d20d6a96", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7673-688b7-1.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The functionality for synchronization in HGiga OAKlouds' certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters. This enables the execution of arbitrary code on the remote server without permission."}, {"lang": "es", "value": "La funcionalidad de sincronizaci\u00f3n en ciertos m\u00f3dulos de HGiga OAKlouds tiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo, lo que permite a atacantes remotos inyectar comandos del sistema dentro de par\u00e1metros de solicitud espec\u00edficos. Esto permite la ejecuci\u00f3n de c\u00f3digo arbitrario en el servidor remoto sin permiso."}], "lastModified": "2025-01-23T19:55:55.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hgiga:oaklouds-organization-2.0:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BDDE14F-3BD2-4AF2-AAFF-BF238F360860", "versionEndExcluding": "188"}, {"criteria": "cpe:2.3:a:hgiga:oaklouds-organization-3.0:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20A6F111-728D-45DE-B7EC-1C3BC9542F78", "versionEndExcluding": "188"}, {"criteria": "cpe:2.3:a:hgiga:oaklouds-webbase-2.0:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C52C10C8-08A1-4CDC-8309-C3F874EBEFF6", "versionEndExcluding": "1051"}, {"criteria": "cpe:2.3:a:hgiga:oaklouds-webbase-3.0:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B80523EB-F1BE-4F09-9613-F7CE2F556056", "versionEndExcluding": "1051"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}