In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation.
The vulnerability classified as CWE-22 (path traversal) results from the lack of access control mechanism when handling file paths in the XIQ-SE system. An attacker can craft a request containing directory path traversal sequences (e.g., '../') to gain access to resources outside the permitted system area. The lack of permission verification allows this path to be exploited to perform privilege escalation without the need to possess any credentials.
An unauthorized remote attacker can gain full control over the system — achieving a high level of breach of confidentiality, integrity and availability of data (C:H/I:H/A:H). It is possible to escalate privileges to administrative or system level.
Extreme Networks XIQ-SE should be updated to version 24.2.11 or newer. Detailed information about the patch is available in the official security advisory from the vendor: https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2024-104-xiq-se-path-traversal-privilege-escalation-cve-2024/ba-p/116362
Extreme Networks XIQ-SE in versions earlier than 24.2.11
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExtremenetworks Xiq Se
OSExtremenetworks< 24.2.11
Related vulnerabilities
In XIQ-SE before 24.2.11, a low-privileged user may be able to access admin passwords, which could lead to pri...
In XIQ-SE before 24.2.11, a server misconfiguration may allow user enumeration when specific conditions are me...
An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22....
IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.
IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Overflow in the implementation of the CAPWA...