How severe is CVE-2024-12908?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.9 out of 10.

What type of vulnerability is CVE-2024-12908?

This is classified as CWE-94, which is a common weakness in software security.

CVE-2024-12908 - MEDIUM Severity | CVSS 6.9

Vulnerability Description

Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and canonicalization, potentially leading to over matching against the approved list. If this attack were successfully exploited, a remote attacker may be able to convince a user to visit a malicious web-page, or open a malicious document which could trigger the vulnerable handler, allowing them to execute arbitrary code on the user's machine. Delinea added additional validation that the downloaded installer's batch file was in the expected format.

Related Vulnerabilities

CVE-2016-8354

HIGH

CVSS:7.0(High)

An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instruc...

CWE-942016

CVE-2017-13676

HIGH

CVSS:7.0(High)

Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious D...

CWE-942017

CVE-2017-6455

HIGH

CVSS:7.0(High)

NTP before 4.2.8p10 and 4.3.x before 4.3.94, when using PPSAPI, allows local users to gain privileges via a DLL in the PPSAPI_DLLS environment variable.

CWE-942017

CVE-2017-8284

HIGH

CVSS:7.0(High)

The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain priv...

CWE-942017

CVE-2019-11552

HIGH

CVSS:7.0(High)

Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser p...

CWE-942019

CVE-2024-6655

HIGH

CVSS:7.0(High)

A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

CWE-942024