CVE-2024-47485

There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hikvision:hikcentral_master:*:*:*:*:lite:*:*:*

History

22 Oct 2024, 16:23

Type	Values Removed	Values Added
First Time		Hikvision hikcentral Master Hikvision
CWE		CWE-1236
CPE		cpe:2.3:a:hikvision:hikcentral_master:::::lite:::*
References	~~() https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series/ -~~	() https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

18 Oct 2024, 12:52

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección de CSV en algunas versiones de HikCentral Master Lite. Si se aprovecha, un atacante podría crear datos maliciosos para generar comandos ejecutables en el archivo CSV.

18 Oct 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-18 09:15

Updated : 2024-10-22 16:23

NVD link : CVE-2024-47485

Mitre link : CVE-2024-47485

CVE.ORG link : CVE-2024-47485

JSON object : View

Products Affected

hikvision

hikcentral_master

CWE

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

{"id": "CVE-2024-47485", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "hsrc@hikvision.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.5, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-18T09:15:03.093", "references": [{"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series/", "tags": ["Vendor Advisory"], "source": "hsrc@hikvision.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1236"}]}], "descriptions": [{"lang": "en", "value": "There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de CSV en algunas versiones de HikCentral Master Lite. Si se aprovecha, un atacante podr\u00eda crear datos maliciosos para generar comandos ejecutables en el archivo CSV."}], "lastModified": "2024-10-22T16:23:22.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hikvision:hikcentral_master:*:*:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "126DB70D-715D-4BC7-8038-0316BA2890DB", "versionEndExcluding": "2.3.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "hsrc@hikvision.com"}