Multiple vulnerabilities in Cires21 products

Posted date 17/01/2024
Importance
5 - Critical
Affected Resources
  • C21 Live encoder and Live Mosaic, 5.3 version.
Description

INCIBE has coordinated the publication of 2 vulnerabilities of critical severity affecting Cires21 Live Encoder and Live Mosaic, version 5.3, a solution for the recording of complete TV channel grids, which have been discovered by Konrad Kowal Karp, from Telefónica Tech.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-0642: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-284.
  • CVE-2024-0643: 10 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-434 
Solution

The vulnerabilities have been resolved by the Cires21 team in the latest software version of the affected products, which was released in the last week of November.

Detail
  • CVE-2024-0642: inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to access the application as an administrator user through the application endpoint, due to lack of proper credential management.
  • CVE-2024-0643: unrestricted upload of dangerous file types in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to upload different file extensions without any restrictions, resulting in a full system compromise.
References list