CVE-2024-27120

Local File Inclusion in ComfortKey before version 24.1.2

CVE

CVE-2024-27120

Title

Local File Inclusion in ComfortKey before version 24.1.2

Credits

Alwin Warringa (finder)
Max van der Horst (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Celsius Benelux ComfortKey	>= * to < 24.1.2 ()
Celsius Benelux ComfortKey		everything else

CVSS

Base score	7.7 - HIGH
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	LOW	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	NONE	Subsequent systems	NONE
Availability Impact
Vulnerable system	NONE	Subsequent systems	NONE
Safety impact	PRESENT
Automatable	YES
Recovery	USER
Value Density	CONCENTRATED
Vulnerability Response effort	MODERATE
Provider Urgency	RED

References

https://csirt.divd.nl/CVE-2024-27120 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2024-00031/ ( third-party-advisory )

Problem type(s)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Impact(s)

CAPEC-126 Path Traversal

Date published

Last modified

Description

A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system. The vulnerability has been remediated in version 24.1.2.

JSON version.

DIVD CSIRT

CVE-2024-27120

Local File Inclusion in ComfortKey before version 24.1.2

Description