CRITICAL🇵🇱 Wersja polska

CVE-2024-38292

CVSS 9.8v3.1pub. 2025-02-27upd. 2025-07-11

In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-22 (path traversal) results from the lack of access control mechanism when handling file paths in the XIQ-SE system. An attacker can craft a request containing directory path traversal sequences (e.g., '../') to gain access to resources outside the permitted system area. The lack of permission verification allows this path to be exploited to perform privilege escalation without the need to possess any credentials.

Impact

An unauthorized remote attacker can gain full control over the system — achieving a high level of breach of confidentiality, integrity and availability of data (C:H/I:H/A:H). It is possible to escalate privileges to administrative or system level.

Mitigation & patch

Extreme Networks XIQ-SE should be updated to version 24.2.11 or newer. Detailed information about the patch is available in the official security advisory from the vendor: https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362

Who is affected

Extreme Networks XIQ-SE in versions earlier than 24.2.11

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Extremenetworks Xiq Se

    OS
    Extremenetworks
    < 24.2.11
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalLPE
CWE
References

Related vulnerabilities

CVE-2024-38291HIGH8.8ten sam produkt

In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to pri...

CVE-2024-38290MEDIUM5.3ten sam produkt

In XIQ-SE before 24.2.11, a server misconfiguration may allow user enumeration when specific conditions are me...

CVE-2023-43119CRITICAL9.8ten sam vendor

An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22....

CVE-2023-35803CRITICAL9.8ten sam vendor

IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.

CVE-2023-35802CRITICAL9.8ten sam vendor

IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Overflow in the implementation of the CAPWA...