Details of VAR-202203-0227

ID

VAR-202203-0227

CVE

CVE-2022-24915

TITLE

IPCOMM ipDIO Code Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-20534

DESCRIPTION

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services). IPCOMM ipDIO is a remote control communication device of German IPCOMM company. Used to record digital and analog inputs and control digital outputs. Attackers can use the vulnerability to inject malicious code. When legitimate users visit the web part of the displayed information, These codes will be explained

Trust: 1.44

sources: NVD: CVE-2022-24915 // CNVD: CNVD-2022-20534

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-20534

AFFECTED PRODUCTS

vendor:

ipcomm

model:

ipdio

scope:

version:

3.9

Trust: 1.6

sources: CNVD: CNVD-2022-20534 // NVD: CVE-2022-24915

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24915
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-24915
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2022-20534
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202203-182
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-24915
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2022-20534
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-24915
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-24915
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-20534 // CNNVD: CNNVD-202203-182 // NVD: CVE-2022-24915 // NVD: CVE-2022-24915

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	NVD-CWE-Other	Trust: 1.0

sources: NVD: CVE-2022-24915

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-182

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202203-182

PATCH

title:	Patch for IPCOMM ipDIO Code Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/326466	Trust: 0.6
title:	IPCOMM ipDIO Fixes for code injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=184598	Trust: 0.6

sources: CNVD: CNVD-2022-20534 // CNNVD: CNNVD-202203-182

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24915	Trust: 2.2
db:	ICS CERT	id:	ICSA-22-062-01	Trust: 1.6
db:	CNVD	id:	CNVD-2022-20534	Trust: 0.6
db:	CS-HELP	id:	SB2022030402	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-182	Trust: 0.6

sources: CNVD: CNVD-2022-20534 // CNNVD: CNNVD-202203-182 // NVD: CVE-2022-24915

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24915	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-24915/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030402	Trust: 0.6

sources: CNVD: CNVD-2022-20534 // CNNVD: CNNVD-202203-182 // NVD: CVE-2022-24915

CREDITS

Aarón Flecha Menéndez of S21Sec reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-182

SOURCES

db:	CNVD	id:	CNVD-2022-20534
db:	CNNVD	id:	CNNVD-202203-182
db:	NVD	id:	CVE-2022-24915

LAST UPDATE DATE

2024-11-23T22:15:55.572000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-20534	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202203-182	date:	2023-06-25T00:00:00
db:	NVD	id:	CVE-2022-24915	date:	2024-11-21T06:51:22.840

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-20534	date:	2022-03-17T00:00:00
db:	CNNVD	id:	CNNVD-202203-182	date:	2022-03-03T00:00:00
db:	NVD	id:	CVE-2022-24915	date:	2022-03-10T17:46:38.743