DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey
| Our reference | DIVD-2024-00031 |
| Case lead | Alwin Warringa |
| Author | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Check for the patched versions and get those installed |
| Patch status | Released |
| Workaround | N/A |
| Status | Closed |
| Last modified | 10 Mar 2025 09:57 CET |
Summary
An Unauthenticated Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.
Recommendations
Comfort Key released patched version 24.1.2. Please update to this version number or higher if possible.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of ComfortKey and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.
Timeline
| Date | Description |
|---|---|
| 02 Jul 2024 | DIVD contacted the vendor to disclose the vulnerability. |
| 04 Jul 2024 | Supplier created/delivered beta version for retesting. |
| 05 Jul 2024 | Patch was verified, vulnerability was resolved. |
| 05 Aug 2024 | First version of this casefile. |
| 14 Sep 2024 | DIVD notified system owners with a vulnerable application |
| 26 Feb 2025 | DIVD closes the case. |
gantt
title DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey (205 days) :2024-08-05, 2025-02-26
section Events
DIVD contacted the vendor to disclose the vulnerability. : milestone, 2024-07-02, 0d
Supplier created/delivered beta version for retesting. : milestone, 2024-07-04, 0d
Patch was verified, vulnerability was resolved. : milestone, 2024-07-05, 0d
First version of this casefile. : milestone, 2024-08-05, 0d
DIVD notified system owners with a vulnerable application : milestone, 2024-09-14, 0d
DIVD closes the case. : milestone, 2025-02-26, 0d