CVE-2024-43655
published 2025-01-09CVE-2024-43655: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects…
PriorityP263critical9.3CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCLSILSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSPAUYRXVXREXUX
EPSS
1.19%
64.1th percentile
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: Moderate – The attacker will first need to find the name of the script, and needs a (low privilege) account to gain access to the script, or convince a user with such access to execute a request to it.
Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and deletefiles and services.
CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (AT:N). The attack is authenticated, but the level of authentication does not matter (PR:L), nor is any user interaction required (UI:N). The attack leads to a full compromised (VC:H/VI:H/VA:H), and compromised devices can be used to pivot into networks that should potentially not be accessible (SC:L/SI:L/SA:H). Becuase this is an EV charger handing significant power, there is a potential safety impact (S:P). This attack can be automated (AU:Y).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| composer | composer | >= 0 < 1.0.0~beta2-1ubuntu0.1~esm2 | 1.0.0~beta2-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.6.3-1ubuntu0.1~esm2 | 1.6.3-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.10.1-1ubuntu0.1~esm2 | 1.10.1-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 2.2.6-2ubuntu4+esm1 | 2.2.6-2ubuntu4+esm1 |
| composer | composer | >= 0 < 2.7.1-2ubuntu0.1~esm1 | 2.7.1-2ubuntu0.1~esm1 |
| iocharger | iocharger_firmware_for_ac_models | < 24120701 | 24120701 |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
composer vulnerabilities
osv·2025-06-30·CVSS 8.8
CVE-2022-24828 composer vulnerabilities
composer vulnerabilities
Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)
Maciej Piechota discovered that Composer did not correctly handle VCS
branch names. An
GHSA
GHSA-2fff-928r-p76x: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affe
ghsa_unreviewed·2025-01-09
CVE-2024-43655 [CRITICAL] CWE-78 GHSA-2fff-928r-p76x: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affe
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root
This issue affects Iocharger firmware for AC model chargers before version 24120701.
Likelihood: Moderate – The attacker will first need to find the name of the script, and needs a (low privilege) account to gain access to the script, or convince a user with such access to execute a request to it.
Impact: Critical – The attacker has full control over the charging station as the root user, and can arbitrarily add, modify and deletefiles and services.
CVSS clarification: Any network interface serving the web ui is vulnerable (AV:N) and there are not additional security measures to circumvent (AC:L), nor does the attack require and existing preconditions (A
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-09
Published