CVE-2024-2420
published 2024-05-30CVE-2024-2420: LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.3th percentile
LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | lenels2_netbox | < 5.6.2 | 5.6.2 |
| lenels2 | netbox | All – 5.6.1 | — |
| msrc | microsoft_edge | — | — |
| msrc | microsoft_edge_extended_stable | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target product: LenelS2 NetBox access control and event monitoring system running versions prior to and including 5.6.1 is vulnerable to hardcoded credential authentication bypass (CVE-2024-2420). Scan/fingerprint NetBox instances exposed to the network. ↗
- →CVE-2024-2420 is exploitable remotely with no authentication and low attack complexity (CVSS v3.1 9.8, AV:N/AC:L/PR:N/UI:N). Prioritize detection of unauthenticated login attempts against NetBox management interfaces. ↗
- →Successful exploitation of CVE-2024-2420 (hardcoded credentials) may be chained with CVE-2024-2421 (unauthenticated RCE) and CVE-2024-2422 (authenticated RCE/argument injection) to achieve full system compromise with elevated permissions on LenelS2 NetBox devices. ↗
- ·No specific hardcoded credential values, hashes, or exploit payloads are publicly disclosed in the available sources. The exact credential strings are not documented, limiting signature-based detection of credential use. ↗
- ·No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at time of publication (May 30, 2024), so no in-the-wild IOCs are available. ↗
- ·The fixed version is NetBox 5.6.2. All deployments on versions ≤5.6.1 should be treated as potentially compromised. Upgrade requires contacting an authorized installer. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
LenelS2 NetBox
cisa_ics·2024-05-30·CVSS 8.8
[HIGH] LenelS2 NetBox
ICS Advisory
##
LenelS2 NetBox
Release DateMay 30, 2024
Alert CodeICSA-24-151-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: LenelS2
- Equipment: NetBox
- Vulnerabilities: Use of Hard-coded Password, OS Command Injection, Argument Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following products of LenelS2, a Carrier Brand, are affected:
- NetBox: All versions prior to 5.6.2
## 3.2 Vulnerability Overview
## 3.2.1 USE OF HARD-CODED PASSWORD CWE-259
LenelS2 NetBox access control and event moni
Microsoft
Chromium: CVE-2024-3516 Heap buffer overflow in ANGLE
vendor_msrc·2024-04-09·CVSS 6.5
CVE-2024-3516 [MEDIUM] Chromium: CVE-2024-3516 Heap buffer overflow in ANGLE
Chromium: CVE-2024-3516 Heap buffer overflow in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.97
4/12/2024
123.0.6312.122/.123
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microso
Microsoft
Chromium: CVE-2024-3515 Use after free in Dawn
vendor_msrc·2024-04-09·CVSS 6.5
CVE-2024-3515 [MEDIUM] Chromium: CVE-2024-3515 Use after free in Dawn
Chromium: CVE-2024-3515 Use after free in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.97
4/12/2024
123.0.6312.122/.123
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge
Microsoft
Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability
vendor_msrc·2024-04-09·CVSS 4.1
CVE-2024-29049 [MEDIUM] CWE-79 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability
Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.81
4/4/2024
123.0.6312.105/.106/.107
Extended Stable
122.0.2365.120
4/4/2024
122.0.6261.156
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send the user a malicious file and convince them to open it.
FAQ: According to the CVSS metrics, successful exploitation of
Microsoft
Microsoft Edge (Chromium-based) Spoofing Vulnerability
vendor_msrc·2024-04-09·CVSS 4.3
CVE-2024-29981 [MEDIUM] CWE-1021 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could cover and spoof elements of the UI. The modified information is only visual.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.81
4/4/2024
123.0.6312.105/.106/.107
Extended Stable
122.0.2365.120
4/4/2024
122.0.6261.156
FAQ: How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vu
Microsoft
Chromium: CVE-2024-3157 Out of bounds write in Compositing
vendor_msrc·2024-04-09·CVSS 9.6
CVE-2024-3157 [CRITICAL] Chromium: CVE-2024-3157 Out of bounds write in Compositing
Chromium: CVE-2024-3157 Out of bounds write in Compositing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.97
4/12/2024
123.0.6312.122/.123
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Mi
Microsoft
Chromium: CVE-2024-2628 Inappropriate implementation in Downloads
vendor_msrc·2024-03-12·CVSS 4.3
CVE-2024-2628 [MEDIUM] Chromium: CVE-2024-2628 Inappropriate implementation in Downloads
Chromium: CVE-2024-2628 Inappropriate implementation in Downloads
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In yo
Microsoft
Chromium: CVE-2024-2629 Incorrect security UI in iOS
vendor_msrc·2024-03-12·CVSS 4.3
CVE-2024-2629 [MEDIUM] Chromium: CVE-2024-2629 Incorrect security UI in iOS
Chromium: CVE-2024-2629 Incorrect security UI in iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft
Microsoft
Chromium: CVE-2024-2626 Out of bounds read in Swiftshader
vendor_msrc·2024-03-12·CVSS 6.5
CVE-2024-2626 [MEDIUM] Chromium: CVE-2024-2626 Out of bounds read in Swiftshader
Chromium: CVE-2024-2626 Out of bounds read in Swiftshader
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Micro
Microsoft
Chromium: CVE-2024-2627 Use after free in Canvas
vendor_msrc·2024-03-12·CVSS 8.8
CVE-2024-2627 [HIGH] Chromium: CVE-2024-2627 Use after free in Canvas
Chromium: CVE-2024-2627 Use after free in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge
Microsoft
Chromium: CVE-2024-2887 Type Confusion in WebAssembly
vendor_msrc·2024-03-12·CVSS 7.7
CVE-2024-2887 [HIGH] Chromium: CVE-2024-2887 Type Confusion in WebAssembly
Chromium: CVE-2024-2887 Type Confusion in WebAssembly
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.65
3/26/2024
123.0.6312.86/.87
Extended Stable
122.0.2365.113
3/26/2024
122.0.6261.148
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
Ho
Microsoft
Chromium: CVE-2024-2886 Use after free in WebCodecs
vendor_msrc·2024-03-12·CVSS 7.5
CVE-2024-2886 [HIGH] Chromium: CVE-2024-2886 Use after free in WebCodecs
Chromium: CVE-2024-2886 Use after free in WebCodecs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.65
3/26/2024
123.0.6312.86/.87
Extended Stable
122.0.2365.113
3/26/2024
122.0.6261.148
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How
Microsoft
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
vendor_msrc·2024-03-12·CVSS 4.7
CVE-2024-26247 [MEDIUM] CWE-269 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted URL to be
Microsoft
Chromium: CVE-2024-2625 Object lifecycle issue in V8
vendor_msrc·2024-03-12·CVSS 8.8
CVE-2024-2625 [HIGH] Chromium: CVE-2024-2625 Object lifecycle issue in V8
Chromium: CVE-2024-2625 Object lifecycle issue in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft
Microsoft
Chromium: CVE-2024-2630 Inappropriate implementation in iOS
vendor_msrc·2024-03-12·CVSS 6.5
CVE-2024-2630 [MEDIUM] Chromium: CVE-2024-2630 Inappropriate implementation in iOS
Chromium: CVE-2024-2630 Inappropriate implementation in iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Mic
Microsoft
Microsoft Edge (Chromium-based) Spoofing Vulnerability
vendor_msrc·2024-03-12·CVSS 4.3
CVE-2024-29057 [MEDIUM] CWE-357 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted URL to be compromised by the attacker.
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could cover and spoof elements of the UI. The modified information is only visual.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
Microsoft Edge (Chromium-based): Microsoft Edge (Chromium-based)
Microsoft: Mi
Microsoft
Chromium: CVE-2024-2631 Inappropriate implementation in iOS
vendor_msrc·2024-03-12·CVSS 4.3
CVE-2024-2631 [MEDIUM] Chromium: CVE-2024-2631 Inappropriate implementation in iOS
Chromium: CVE-2024-2631 Inappropriate implementation in iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.53
3/22/2024
123.0.6312.58/.59
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Mic
Microsoft
Chromium: CVE-2024-2883 Use after free in ANGLE
vendor_msrc·2024-03-12·CVSS 8.8
CVE-2024-2883 [HIGH] Chromium: CVE-2024-2883 Use after free in ANGLE
Chromium: CVE-2024-2883 Use after free in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.65
3/26/2024
123.0.6312.86/.87
Extended Stable
122.0.2365.113
3/26/2024
122.0.6261.148
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Chromium: CVE-2024-2885 Use after free in Dawn
vendor_msrc·2024-03-12·CVSS 8.8
CVE-2024-2885 [HIGH] Chromium: CVE-2024-2885 Use after free in Dawn
Chromium: CVE-2024-2885 Use after free in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
123.0.2420.65
3/26/2024
123.0.6312.86/.87
Extended Stable
122.0.2365.113
3/26/2024
122.0.6261.148
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-30
Published