CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-37846

High Severity
SVRS
47/100
CVSSv3
4.6/10
EPSS
0.00039/1

CVE-2024-37846: Client-Side Template Injection in MangoOS. This vulnerability allows attackers to inject malicious code via the Platform Management Edit page in MangoOS versions prior to 5.2.0. With an SVRS of 47, while not critical, it still poses a moderate risk. Exploitation could lead to unauthorized access and manipulation of the application. Though the CVSS score is only 4.6, the SVRS reflects additional factors, indicating a more nuanced threat profile. This CSTI vulnerability can be exploited to execute arbitrary code within the user's browser. Immediate patching to version 5.2.0 or later is recommended to mitigate potential risks associated with this security flaw. This allows threat actors to potentially compromise user sessions and data.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:L
UI:R
S:U
C:L
I:L
A:N
PUBLICATION DATE2024-10-25
LAST MODIFIED2024-11-05
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-37846 is a Client-Side Template Injection (CSTI) vulnerability in MangoOS versions prior to 5.2.0. This vulnerability allows an attacker to inject malicious code into the Platform Management Edit page, potentially leading to remote code execution or other malicious activities.

Key Insights

  • SVRS Score: 42, indicating a moderate risk. While not as critical as vulnerabilities with SVRS scores above 80, it still warrants attention and timely mitigation.
  • Exploit Status: Active exploits have been published, making it crucial for organizations to patch their systems immediately.
  • CISA Warning: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of this vulnerability, urging organizations to take immediate action.
  • In the Wild: This vulnerability is actively exploited by hackers, highlighting the need for prompt mitigation.

Mitigation Strategies

  • Update MangoOS: Install the latest version of MangoOS (5.2.0 or later) to patch the vulnerability.
  • Restrict Access: Limit access to the Platform Management Edit page to authorized personnel only.
  • Implement Input Validation: Validate all user input on the Platform Management Edit page to prevent malicious code injection.
  • Monitor for Suspicious Activity: Regularly monitor logs and network traffic for any suspicious activity that may indicate exploitation attempts.

Additional Information

If you have any further questions regarding this incident, you can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-37846 | MangoOS up to 5.1.x Platform Management Edit Page injection
vuldb.com2024-10-26
CVE-2024-37846 | MangoOS up to 5.1.x Platform Management Edit Page injection | A vulnerability classified as problematic has been found in MangoOS up to 5.1.x. Affected is an unknown function of the component Platform Management Edit Page. The manipulation leads to injection. This vulnerability is traded as CVE-2024-37846. The attack can only be done within the local network. There is
cve-2024-37846
domains
urls
cves

Social Media

🚨 CVE-2024-37846: Injection vulnerability in MangoOS up to 5.1.x Platform Management Edit Page. Risk: Attacker can manipulate system within local network. Recommendation: Upgrade affected component immediately to patch the flaw and reduce exploit risk. #CyberSecurity #PatchNow
0
0
0

Affected Software

No affected software found for this CVE

References

ReferenceLink
[email protected]https://github.com/herombey/Disclosures/blob/main/CVE-2024-37846-CSTI.pdf
[email protected]https://github.com/herombey/Disclosures/tree/main

CWE Details

CWE IDCWE NameDescription
CWE-94Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence