Skip to the content.

DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey

Our reference DIVD-2024-00031
Case lead Alwin Warringa
Author Victor Pasman
Researcher(s)
CVE(s)
Products
  • ComfortKey
Versions
  • < 24.1.2.
Recommendation Check for the patched versions and get those installed
Patch status Released
Workaround N/A
Status Open
Last modified 15 Dec 2024 17:22 CET

Summary

An Unauthenticated Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.

Recommendations

Comfort Key released patched version 24.1.2. Please update to this version number or higher if possible.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of ComfortKey and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.

Timeline

Date Description
02 Jul 2024 DIVD contacted the vendor to disclose the vulnerability.
04 Jul 2024 Supplier created/delivered beta version for retesting.
05 Jul 2024 Patch was verified, vulnerability was resolved.
05 Aug 2024 First version of this casefile.
gantt title DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey (still open) :2024-08-05, 2024-12-24 section Events DIVD contacted the vendor to disclose the vulnerability. : milestone, 2024-07-02, 0d Supplier created/delivered beta version for retesting. : milestone, 2024-07-04, 0d Patch was verified, vulnerability was resolved. : milestone, 2024-07-05, 0d First version of this casefile. : milestone, 2024-08-05, 0d

More information