CVE-2024-23749
Severity CVSS v4.0:
Pending analysis
Type:
CWE-77
Command Injection
Publication date:
09/02/2024
Last modified:
15/05/2025
Description
KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:9bis:kitty:*:*:*:*:*:windows:*:* | 0.76.1.13 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
- http://seclists.org/fulldisclosure/2024/Feb/13
- http://seclists.org/fulldisclosure/2024/Feb/14
- https://blog.defcesco.io/CVE-2024-23749
- http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
- http://seclists.org/fulldisclosure/2024/Feb/13
- http://seclists.org/fulldisclosure/2024/Feb/14
- https://blog.defcesco.io/CVE-2024-23749