An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack due to improper verification of the source of a communication channel.
An attacker remotely, without authentication and without user interaction, can inject malicious network traffic into the application's communication channel. The cause is the lack of proper verification of the communication source (CWE-940 – Improper Verification of Source of a Communication Channel), which allows for substitution or modification of transmitted data. The attack vector is network-based, and the low attack complexity makes it possible to execute it in an automated manner.
An attacker can gain full access to sensitive data, modify or delete data processed by the application, and cause system unavailability – which corresponds to the highest ratings for confidentiality, integrity, and availability (C:H/I:H/A:H) on the CVSS scale.
Patches available from the vendor should be applied in accordance with the references. It is recommended to monitor updates on the vendor's website (caterease.com) and implement fixes immediately upon release. It is also recommended to restrict network access to the Caterease application exclusively to trusted IP addresses.
Horizoncloud Caterease versions from 16.0.1.1663 to 24.0.1.2405 and potentially in later versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHorizoncloud Caterease
APPHorizoncloud16.0.1.1663 – 24.0.1.2405
Related vulnerabilities
Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu
Command Injection w Horizoncloud Caterease — zdalne przejęcie systemu OS
SQL Injection w Horizoncloud Caterease — zdalne wykonanie zapytań
SQL Injection umożliwiający command injection w Horizoncloud Caterease
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...