CVE-2024-48956 - Vulnerability Disclosure Document
Last update: 2024-10-22 15:50 CEST
Overview
As part of a pen test, a security-relevant vulnerability was discovered within Serviceware Processes. This makes it possible for an informed attacker to execute remote code on the server without valid authentication.
Vulnerability ID
- CVE ID for this Vulnerability: CVE-2024-48956
- Serviceware internal ID: SEC-PRC-2024-001
Description
- Software/Product(s) containing the vulnerability: Serviceware Processes (helpLine)
- Version number of vulnerable software/product: 6.0 and higher
- Product Vendor: Serviceware SE
- Type of Vulnerability, if known: CWE-1394
- Vulnerability Description: An informed attacker can execute remote code on the server without valid authentication.
- How may an attacker exploit this vulnerability? (Proof of Concept): An attacker can send a specially crafted HTTP request to a service endpoint that could result in remote code execution. Detailed information can be provided to customers upon request.
Impact
- Ability to execute code on the server remotely. Customers using an affected version must take immediate action.
CVSS Score
- CVSS Base Score: 9.8
- CVSS vector: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Resolution
- A fix/patch is available for all affected versions via Serviceware Support.
- Contact information to obtain the fix: service@serviceware-se.com
- Version containing the fix: 7.4
Reporter
- This vulnerability was discovered and responsibly disclosed by Oneconsult AG (https://www.oneconsult.com/).
Author and/or Contact Info
For more information or questions, please contact:
- Organization: Serviceware SE
- Email: service@serviceware-se.com
Disclosure Timeline
- 2024-09-25: Pen tester requests contact for the technical details.
- 2024-09-26: Serviceware SE receives technical details.
- 2024-09-27: Fix and mitigation internally established.
- 2024-09-30: Serviceware SE engages in communication with OneConsult to clarify details.
- 2024-09-30: Serviceware SE announces the upcoming release of a security fix to its customers.
- 2024-10-01: Serviceware SE releases mitigation information to its customers.
- 2024-10-02: Serviceware SE releases the patch containing the final fix to its customers.