CVE-2024-42048
CVE-2024-42048
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
07 ago 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
OpenOrange Business Framework version 1.15.5 installs to a directory with overly permissive access control, allowing all authenticated users to write to the installation path. In combination with the application's behavior of loading DLLs from this location, this allows for DLL hijacking and may result in arbitrary code execution and privilege escalation.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Productos afectados
n/a · n/aReferencias
https://attack.mitre.org/techniques/T1574/001https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryahttps://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexahttps://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-orderhttps://landings.openorange.com/l/erp-peru-a.htmlhttps://raw.githubusercontent.com/securityadvisories/Security-Advisories/refs/heads/main/Advisories/Blaze%20Information%20Security%20-%20DLL%20Hijacking%20in%20OpenOrange%20Business%20Framework%20Allows%20Arbitrary%20Code%20Execution%20and%20Potential%20Privilege%20Escalation.txthttps://resources.infosecinstitute.com/topic/dll-hijackinghttps://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1https://www.openorange.com