CVE-2024-42048
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
07/08/2025
Last modified:
15/04/2026
Description
OpenOrange Business Framework version 1.15.5 installs to a directory with overly permissive access control, allowing all authenticated users to write to the installation path. In combination with the application's behavior of loading DLLs from this location, this allows for DLL hijacking and may result in arbitrary code execution and privilege escalation.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://attack.mitre.org/techniques/T1574/001
- https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
- https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa
- https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
- https://landings.openorange.com/l/erp-peru-a.html
- https://raw.githubusercontent.com/securityadvisories/Security-Advisories/refs/heads/main/Advisories/Blaze%20Information%20Security%20-%20DLL%20Hijacking%20in%20OpenOrange%20Business%20Framework%20Allows%20Arbitrary%20Code%20Execution%20and%20Potential%20Privilege%20Escalation.txt
- https://resources.infosecinstitute.com/topic/dll-hijacking
- https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
- https://www.openorange.com