CVE-2024-39880

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01	Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:deltaww:cncsoft-g2:2.0.0.5:*:*:*:*:*:*:*

History

21 Nov 2024, 09:28

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 7.8
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01 - Third Party Advisory, US Government Resource

29 Aug 2024, 17:38

Type	Values Removed	Values Added
First Time		Deltaww Deltaww cncsoft-g2
CPE		cpe:2.3:a:deltaww:cncsoft-g2:2.0.0.5:::::::*
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-191-01 - Third Party Advisory, US Government Resource
CWE		CWE-787
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 8.8

11 Jul 2024, 13:05

Type	Values Removed	Values Added
Summary		(es) Delta Electronics CNCSoft-G2 carece de una validación adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos en un búfer basado en pila de longitud fija. Si un objetivo visita una página maliciosa o abre un archivo malicioso, un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual.

10 Jul 2024, 00:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

09 Jul 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 22:15

Updated : 2024-11-21 09:28

NVD link : CVE-2024-39880

Mitre link : CVE-2024-39880

CVE.ORG link : CVE-2024-39880

JSON object : View

Products Affected

deltaww

cncsoft-g2

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

7.8 /10