CX-One CX-One CXONE-AL CVE-2024-31413
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (jpcert) · only source for this CVE.
CVSS VectorVendor: jpcert
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution.
AnalysisAI
Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-761. Free of pointer not at start of buffer vulnerability exists in CX-One CX-One CXONE-AL[][]D-V4 (The version which was installed with a DVD ver. 4.61.1 or lower, and was updated through CX-One V4 auto update in January 2024 or prior) and Sysmac Studio SYSMAC-SE2[][][] (The version which was installed with a DVD ver. 1.56 or lower, and was updated through Sysmac Studio V1 auto update in January 2024 or prior). Opening a specially crafted project file may lead to arbitrary code execution.
Affected ProductsAI
January 2024 or.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Share
External POC / Exploit Code
Leaving vuln.today