Description

The upload functionality of ASUS Download Master does not properly filter user input. Remote attackers with administrative privilege can exploit this vulnerability to upload any file to any location. They may even upload malicious web page files to the website directory, allowing arbitrary system commands to be executed upon browsing the webpage.

Classification

Assigner: [email protected]

CWE: CWE-434

Links
CPEs
  • asus download_master

CVSS

CVSS version: 3.1 Base score: 7.2
Base severity: HIGH Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability score: 1.2 Impact score: 5.9

Can you explain the CVE description?

This CVE description is for a vulnerability identified as CVE-2024-31161. The vulnerability is related to the upload functionality of ASUS Download Master, which does not properly filter user input. This allows remote attackers with administrative privilege to upload any file to any location, including malicious web page files to the website directory. This could potentially lead to arbitrary system commands being executed when the webpage is accessed. The CVSS score for this vulnerability is 7.2, indicating a high severity level. The vulnerability has been classified under CWE-434. The status of the vulnerability is EARLY_WARNING and it was published on June 14, 2024. The exploitability score is 1.2 and the impact score is 5.9. For more information, you can refer to the provided URLs for additional details on the vulnerability.

How can this vulnerability be part of an attack tree?

This vulnerability can be part of an attack tree by being used as an initial entry point for an attacker to gain administrative privileges on the target system. The attacker can exploit the vulnerability in ASUS Download Master to upload malicious web page files to the website directory, which can then be used to execute arbitrary system commands when the webpage is accessed. This could lead to further exploitation of the system, such as installing backdoors, exfiltrating sensitive data, or launching additional attacks within the network. By gaining administrative privileges through this vulnerability, the attacker can escalate their access and carry out more sophisticated attacks, ultimately compromising the integrity, confidentiality, and availability of the system and its data.


Generated on: 2024-07-01