CISA KEV 정보
| 취약점명 | Advantive VeraCore Unrestricted File Upload Vulnerability |
|---|---|
| 설명 | Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx. |
| 조치사항 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-434 |
| 등록일 (KEV) | 2025-03-10 |
| 조치 기한 | 2025-03-31 |
| 추가 참고 | https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1 ; https://nvd.nist.gov/vuln/detail/CVE-2024-57968 |
NVD 상세 정보
CVSS v3.1: 9.9 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H설명: Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.
CWE: CWE-434 | CWE-434
참조
- https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1 [Permissions Required, Product, Release Notes]
- https://intezer.com/blog/research/xe-group-exploiting-zero-days/ [Exploit, Technical Description, Third Party Advisory]
- https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/ [Exploit, Technical Description, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57968 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.