CVE-2024-50625

An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to arbitrary file uploads within specific directories, potentially enabling privilege escalation when combined with other vulnerabilities.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.digi.com/getattachment/Resources/Security/Alerts/Digi-ConnectPort-LTS-Firmware-Update/ConnectPort-LTS-KB.pdf	Vendor Advisory
https://www.digi.com/resources/documentation/digidocs/pdfs/90001001.pdf	Product
https://www.digi.com/resources/security	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:digi:connectport_lts_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:digi:connectport_lts_16:-:::::::*
	cpe:2.3:h:digi:connectport_lts_16_mei:-:::::::*
	cpe:2.3:h:digi:connectport_lts_16_mei_2ac:-:::::::*
	cpe:2.3:h:digi:connectport_lts_32:-:::::::*
	cpe:2.3:h:digi:connectport_lts_32_mei:-:::::::*
	cpe:2.3:h:digi:connectport_lts_8_mei:-:::::::*

History

27 Jun 2025, 16:07

Type	Values Removed	Values Added
CPE		cpe:2.3:h:digi:connectport_lts_32:-:::::::* cpe:2.3:h:digi:connectport_lts_16:-:::::::* cpe:2.3:h:digi:connectport_lts_16_mei_2ac:-:::::::* cpe:2.3:h:digi:connectport_lts_16_mei:-:::::::* cpe:2.3:o:digi:connectport_lts_firmware:::::::: cpe:2.3:h:digi:connectport_lts_32_mei:-:::::::* cpe:2.3:h:digi:connectport_lts_8_mei:-:::::::*
First Time		Digi connectport Lts 32 Mei Digi connectport Lts 32 Digi connectport Lts Firmware Digi Digi connectport Lts 16 Mei Digi connectport Lts 16 Digi connectport Lts 8 Mei Digi connectport Lts 16 Mei 2ac
References	~~() https://www.digi.com/getattachment/Resources/Security/Alerts/Digi-ConnectPort-LTS-Firmware-Update/ConnectPort-LTS-KB.pdf -~~	() https://www.digi.com/getattachment/Resources/Security/Alerts/Digi-ConnectPort-LTS-Firmware-Update/ConnectPort-LTS-KB.pdf - Vendor Advisory
References	~~() https://www.digi.com/resources/documentation/digidocs/pdfs/90001001.pdf -~~	() https://www.digi.com/resources/documentation/digidocs/pdfs/90001001.pdf - Product
References	~~() https://www.digi.com/resources/security -~~	() https://www.digi.com/resources/security - Vendor Advisory

12 Dec 2024, 02:06

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.0
Summary		(es) Se descubrió un problema en Digi ConnectPort LTS anterior a la versión 1.4.12. Una vulnerabilidad en el manejo de carga de archivos de una aplicación web permite la manipulación de rutas de archivos mediante solicitudes POST. Esto puede provocar cargas de archivos arbitrarias dentro de directorios específicos, lo que potencialmente permite la escalada de privilegios cuando se combina con otras vulnerabilidades.
CWE		CWE-434

09 Dec 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-09 22:15

Updated : 2025-06-27 16:07

NVD link : CVE-2024-50625

Mitre link : CVE-2024-50625

CVE.ORG link : CVE-2024-50625

JSON object : View

Products Affected

digi

connectport_lts_32
connectport_lts_16_mei
connectport_lts_16
connectport_lts_8_mei
connectport_lts_16_mei_2ac
connectport_lts_firmware
connectport_lts_32_mei

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-50625", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2024-12-09T22:15:22.610", "references": [{"url": "https://www.digi.com/getattachment/Resources/Security/Alerts/Digi-ConnectPort-LTS-Firmware-Update/ConnectPort-LTS-KB.pdf", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.digi.com/resources/documentation/digidocs/pdfs/90001001.pdf", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.digi.com/resources/security", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to arbitrary file uploads within specific directories, potentially enabling privilege escalation when combined with other vulnerabilities."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Digi ConnectPort LTS anterior a la versi\u00f3n 1.4.12. Una vulnerabilidad en el manejo de carga de archivos de una aplicaci\u00f3n web permite la manipulaci\u00f3n de rutas de archivos mediante solicitudes POST. Esto puede provocar cargas de archivos arbitrarias dentro de directorios espec\u00edficos, lo que potencialmente permite la escalada de privilegios cuando se combina con otras vulnerabilidades."}], "lastModified": "2025-06-27T16:07:48.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:digi:connectport_lts_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36E2B8EB-FD51-4EFD-87BC-61841B5B1372", "versionEndExcluding": "1.4.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:digi:connectport_lts_16:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D927F6A5-D6AA-4AEB-A7E8-CA5A3BE5ED6E"}, {"criteria": "cpe:2.3:h:digi:connectport_lts_16_mei:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BDCB83B5-1662-47D8-89E9-F64297D235A5"}, {"criteria": "cpe:2.3:h:digi:connectport_lts_16_mei_2ac:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CCF5F04A-5AE9-4C1B-8F54-820CF6673E12"}, {"criteria": "cpe:2.3:h:digi:connectport_lts_32:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6F118AD7-F6E3-4F5F-91F6-B52978C0018D"}, {"criteria": "cpe:2.3:h:digi:connectport_lts_32_mei:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E4D38E1C-90DE-4B19-9CE4-3B9116AE7AE0"}, {"criteria": "cpe:2.3:h:digi:connectport_lts_8_mei:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "78489691-DF52-45FF-BC61-7DDBCB0B56F0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}

8.0 /10