CRITICAL🇵🇱 Wersja polska

CVE-2024-24621

CVSS 9.8v3.1pub. 2024-07-25upd. 2024-11-21

Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.

🤖 AI Analysis
How it works

The vulnerability results from improper condition verification (CWE-697) during the password reset process handling. This mechanism does not properly verify the requester's identity, which allows an anonymous attacker to bypass standard authentication. As a result, an attacker can reset the password in an unauthorized manner and take control of the system.

Impact

An attacker gains full access to the server with root user privileges, which means the possibility of taking complete control of the system, reading and modifying data, and installing arbitrary software.

Mitigation & patch

Apply patches available from the vendor according to the references. Technical details of the vulnerability and recommendations were published by Exodus Intel on July 25, 2024 at: https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-authentication-bypass/

Who is affected

Softaculous Webuzo — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Softaculous Webuzo

    APP
    Softaculous
    < 4.2.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-24622HIGH8.8ten sam produkt

Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated a...

CVE-2024-24623HIGH8.8ten sam produkt

Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, a...

CVE-2013-6041HIGH7.5ten sam produkt

index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell m...

CVE-2013-6043MEDIUM5.0ten sam produkt

The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentica...

CVE-2013-6042MEDIUM4.3ten sam produkt

Cross-site scripting (XSS) vulnerability in filemanager/login.php in the File Manager module in Softaculous We...