Multiple vulnerabilities in Socomec Net Vision

Posted date 07/05/2024
4 - High
Affected Resources

Net vision, 7.20 version.


INCIBE has coordinated the publication of 2 vulnerabilities, one of high severity and one of medium severity, affecting Socomec Net Vision, version 7.20, a professional network adapter for monitoring and controlling UPS units from a remote location, which have been discovered by José Daniel Martínez Coronel from IOActive.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-4600: 7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | CWE-352 
  • CVE-2024-4601: 6.7 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-287 

Vulnerabilities fixed in the latest version of the affected product.

  • CVE-2024-4600: Cross-Site Request Forgery vulnerability in Socomec Net Vision, version 7.20. This vulnerability could allow an attacker to trick registered users into performing critical actions, such as adding and updating accounts, due to lack of proper sanitisation of the ‘set_param.cgi’ file.
  • CVE-2024-4601: an incorrect authentication vulnerability has been found in Socomec Net Vision affecting version 7.20. This vulnerability allows an attacker to perform a brute force attack on the application and recover a valid session, because the application uses a five-digit integer value.