CVE-2022-24915 - Vulnerability Details - OpenCVE

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Ipcomm	Ipdio Ipdio Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ipcomm:ipdio_firmware:3.9:*:*:*:*:*:*:*

cpe:2.3:h:ipcomm:ipdio:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01

History

Wed, 16 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-09T15:34:08.852Z

Updated: 2025-04-16T18:00:07.673Z

Reserved: 2022-02-15T00:00:00.000Z

Link: CVE-2022-24915

Vulnrichment

Updated: 2024-08-03T04:29:00.775Z

NVD

Status : Modified

Published: 2022-03-10T17:46:38.743

Modified: 2024-11-21T06:51:22.840

Link: CVE-2022-24915

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "IPCOMM ipDIO", "vendor": "IPCOMM", "versions": [{"status": "affected", "version": "3.9"}]}], "credits": [{"lang": "en", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "datePublic": "2022-03-03T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T15:34:08.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}], "solutions": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}, "title": "ICSA-22-062-01 IPCOMM ipDIO", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-03T18:40:00.000Z", "ID": "CVE-2022-24915", "STATE": "PUBLIC", "TITLE": "ICSA-22-062-01 IPCOMM ipDIO"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IPCOMM ipDIO", "version": {"version_data": [{"version_affected": "=", "version_name": "3.9", "version_value": "3.9"}]}}]}, "vendor_name": "IPCOMM"}]}}, "credit": [{"lang": "eng", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services)."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}]}, "solution": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:29:00.775Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T17:31:04.662244Z", "id": "CVE-2022-24915", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T18:00:07.673Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-24915", "datePublished": "2022-03-09T15:34:08.852Z", "dateReserved": "2022-02-15T00:00:00.000Z", "dateUpdated": "2025-04-16T18:00:07.673Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:29:00.775Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24915", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T17:31:04.662244Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:31:05.974Z"}}], "cna": {"title": "ICSA-22-062-01 IPCOMM ipDIO", "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "IPCOMM", "product": "IPCOMM ipDIO", "versions": [{"status": "affected", "version": "3.9"}]}], "solutions": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "datePublic": "2022-03-03T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-03-09T15:34:08.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "3.9", "version_value": "3.9", "version_affected": "="}]}, "product_name": "IPCOMM ipDIO"}]}, "vendor_name": "IPCOMM"}]}}, "solution": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-24915", "STATE": "PUBLIC", "TITLE": "ICSA-22-062-01 IPCOMM ipDIO", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-03T18:40:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-24915", "state": "PUBLISHED", "dateUpdated": "2025-04-16T18:00:07.673Z", "dateReserved": "2022-02-15T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-03-09T15:34:08.852Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ipcomm:ipdio_firmware:3.9:*:*:*:*:*:*:*", "matchCriteriaId": "7CCFF2C1-ED64-44C3-94D3-D5179BB3F822", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ipcomm:ipdio:-:*:*:*:*:*:*:*", "matchCriteriaId": "034252D1-4CDB-4813-8831-8A0CCBC1E1C4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services)."}, {"lang": "es", "value": "Una ausencia de filtros cuando son cargadas algunas secciones en la aplicaci\u00f3n web del dispositivo vulnerable permite a atacantes inyectar c\u00f3digo malicioso que ser\u00e1 interpretado cuando un usuario leg\u00edtimo acceda a la secci\u00f3n web donde es mostrada la informaci\u00f3n. La inyecci\u00f3n puede realizarse sobre par\u00e1metros espec\u00edficos. El c\u00f3digo inyectado es ejecutado cuando un usuario leg\u00edtimo intenta cargar, copiar, descargar o eliminar una configuraci\u00f3n existente (Servicios Administrativos)"}], "id": "CVE-2022-24915", "lastModified": "2024-11-21T06:51:22.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:46:38.743", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}