How severe is CVE-2024-24578?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2024-24578?

This is classified as CWE-23, which is a common weakness in software security.

CVE-2024-24578 - CRITICAL Severity | CVSS 10

Vulnerability Description

RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.

Related Vulnerabilities

CVE-2023-2356

CRITICAL

CVSS:10.0(Critical)

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

CWE-232023

CVE-2023-3941

CRITICAL

CVSS:10.0(Critical)

Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X...

CWE-232023

CVE-2024-0520

CRITICAL

CVSS:10.0(Critical)

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.h...

CWE-232024

CVE-2023-40714

CRITICAL

CVSS:9.9(Critical)

A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements

CWE-232023

CVE-2024-3025

CRITICAL

CVSS:9.9(Critical)

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by...

CWE-232024

CVE-2017-9664

CRITICAL

CVSS:9.8(Critical)

In ABB SREA-01 revisions A, B, C: application versions up to 3.31.5, and SREA-50 revision A: application versions up to 3.32.8, an attacker may access internal files of ABB SREA-01 and SREA-50 legacy ...

CWE-232017