CVE-2024-29836

Broken Authentication on USER_CHANGE in Evolution Controller allows unauthenticated account creation and takeover

CVSS 9.8 CRITICALEPSS 0.6%CWE-284

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.6%KEV nãoPoC —Patch —

Lifecycle

Apr 14, 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

CS Technologies Australia · Evolution Controller

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://directcyber.com.au/sa/CVE-2024-29836-to-29844-evolution-controller-multiple-vulnerabilities.html