CVE-2024-1015

Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:se-elektronicgmbh:e-ddc3.3_firmware:03.07.03:*:*:*:*:*:*:*

cpe:2.3:h:se-elektronicgmbh:e-ddc3.3:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-01-29 14:15

Updated : 2024-02-02 02:04

NVD link : CVE-2024-1015

Mitre link : CVE-2024-1015

CVE.ORG link : CVE-2024-1015

JSON object : View

Products Affected

se-elektronicgmbh

e-ddc3.3
e-ddc3.3_firmware

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-1015", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-01-29T14:15:09.657", "references": [{"url": "https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}, {"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": " Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de comandos en SE-elektronic GmbH E-DDC3.3 que afecta a las versiones 03.07.03 y superiores. Un atacante podr\u00eda enviar diferentes comandos desde el sistema operativo al sistema a trav\u00e9s de la funcionalidad de configuraci\u00f3n web del dispositivo."}], "lastModified": "2024-02-02T02:04:13.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:se-elektronicgmbh:e-ddc3.3_firmware:03.07.03:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2FB32F1D-8E3D-4C2F-BF31-A107C9963D25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:se-elektronicgmbh:e-ddc3.3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3439959B-DB8A-4BE5-85EA-111851A8DC1E"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve-coordination@incibe.es"}