{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29836", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "state": "PUBLISHED", "assignerShortName": "directcyber", "dateReserved": "2024-03-21T00:52:45.514Z", "datePublished": "2024-04-14T23:47:13.849Z", "dateUpdated": "2024-08-02T01:17:57.373Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Evolution Controller", "vendor": "CS Technologies Australia", "versions": [{"status": "affected", "version": "2.x"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site."}], "value": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-14T23:47:13.849Z"}, "references": [{"url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Broken Authentication on USER_CHANGE in Evolution Controller allows unauthenticated account creation and takeover", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "cs_technologies", "product": "evolution_controller", "cpes": ["cpe:2.3:a:cs_technologies:evolution_controller:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.04.560.31.03.2024", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T15:04:43.279807Z", "id": "CVE-2024-29836", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T15:05:49.895Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:57.373Z"}, "title": "CVE Program Container", "references": [{"url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:57.373Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-26T15:04:43.279807Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cs_technologies:evolution_controller:*:*:*:*:*:*:*:*"], "vendor": "cs_technologies", "product": "evolution_controller", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.04.560.31.03.2024"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T15:05:46.520Z"}}], "cna": {"title": "Broken Authentication on USER_CHANGE in Evolution Controller allows unauthenticated account creation and takeover", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CS Technologies Australia", "product": "Evolution Controller", "versions": [{"status": "affected", "version": "2.x"}], "defaultStatus": "affected"}], "references": [{"url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.", "supportingMedia": [{"type": "text/html", "value": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-14T23:47:13.849Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29836", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:17:57.373Z", "dateReserved": "2024-03-21T00:52:45.514Z", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "datePublished": "2024-04-14T23:47:13.849Z", "assignerShortName": "directcyber"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site."}, {"lang": "es", "value": "La interfaz web de Evolution Controller, versiones 2.04.560.31.03.2024 e inferiores, contiene un control de acceso mal configurado, lo que permite que un atacante no autenticado actualice y agregue perfiles de usuario dentro de la aplicaci\u00f3n y obtenga acceso completo al sitio."}], "id": "CVE-2024-29836", "lastModified": "2024-11-21T09:08:26.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "type": "Secondary"}]}, "published": "2024-04-15T00:15:12.847", "references": [{"source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html"}], "sourceIdentifier": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "type": "Secondary"}]}

{}