CVE-2024-21872
published 2024-04-18CVE-2024-21872: The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.55%
41.9th percentile
The device allows an unauthenticated attacker to bypass authentication
and modify the cookie to reveal hidden pages that allows more critical
operations to the transmitter.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| electrolink | compact_dab_transmitter | — | — |
| electrolink | compact_dab_transmitter | — | — |
| electrolink | compact_dab_transmitter | — | — |
| electrolink | compact_fm_transmitter | — | — |
| electrolink | compact_fm_transmitter | — | — |
| electrolink | compact_fm_transmitter | — | — |
| electrolink | compact_fm_transmitter | — | — |
| electrolink | digital_fm_transmitter | 15W – 40kW | — |
| electrolink | high_power_dab_transmitter | — | — |
| electrolink | high_power_dab_transmitter | — | — |
| electrolink | high_power_dab_transmitter | — | — |
| electrolink | high_power_dab_transmitter | — | — |
| electrolink | medium_dab_transmitter | — | — |
| electrolink | medium_dab_transmitter | — | — |
| electrolink | medium_dab_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | modular_fm_transmitter | — | — |
| electrolink | uhf_tv_transmitter | 10W – 5kW | — |
| electrolink | vhf_tv_transmitter | — | — |
| electrolink | vhf_tv_transmitter | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9c86-qqfm-5hf3: The device allows an unauthenticated attacker to bypass authentication
and modify the cookie to reveal hidden pages that allows more critical
operatio
ghsa_unreviewed·2024-04-19
CVE-2024-21872 [HIGH] CWE-565 GHSA-9c86-qqfm-5hf3: The device allows an unauthenticated attacker to bypass authentication
and modify the cookie to reveal hidden pages that allows more critical
operatio
The device allows an unauthenticated attacker to bypass authentication
and modify the cookie to reveal hidden pages that allows more critical
operations to the transmitter.
CISA ICS
Electrolink FM/DAB/TV Transmitter
cisa_ics·2024-04-16·CVSS 8.7
[HIGH] Electrolink FM/DAB/TV Transmitter
ICS Advisory
##
Electrolink FM/DAB/TV Transmitter
Release DateApril 16, 2024
Alert CodeICSA-24-107-02
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Electrolink
- Equipment: FM/DAB/TV Transmitter
- Vulnerabilities: Authentication Bypass by Assumed-Immutable Data, Reliance on Cookies without Validation and Integrity Checking, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to obtain full system access, keep the device from transmitting, escalate privileges, change credentials, and execute arbitrary code.
## 3. TECHNICAL DETAILS
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-18
Published