CVE-2024-12530 - Vulnerability Details - OpenCVE

Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://portal.microfocus.com/s/article/KM000040073?

History

Thu, 17 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 17 Apr 2025 15:45:00 +0000

Type	Values Removed	Values Added
Description		Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.
Title		Insecure Dynamic-Link Library (DLL) Load vulnerability
Weaknesses		CWE-427
References		https://portal.microfocus.com/s/article/KM000040073?
Metrics		cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: OpenText

Published: 2025-04-17T15:35:32.645Z

Updated: 2025-04-17T18:34:59.014Z

Reserved: 2024-12-11T14:38:14.057Z

Link: CVE-2024-12530

Vulnrichment

Updated: 2025-04-17T18:34:54.263Z

NVD

Status : Awaiting Analysis

Published: 2025-04-17T16:15:27.360

Modified: 2025-04-17T20:21:48.243

Link: CVE-2024-12530

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12530", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2024-12-11T14:38:14.057Z", "datePublished": "2025-04-17T15:35:32.645Z", "dateUpdated": "2025-04-17T18:34:59.014Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Secure Content Manager", "vendor": "OpenText", "versions": [{"status": "affected", "version": "23.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Kirwin Webb of Dvuln"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.<p>This issue affects Secure Content Manager: 23.4.</p>End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.<br>"}], "value": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.\n\nEnd-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application."}], "impacts": [{"capecId": "CAPEC-641", "descriptions": [{"lang": "en", "value": "CAPEC-641 DLL Side-Loading"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2025-04-17T15:35:32.645Z"}, "references": [{"url": "https://portal.microfocus.com/s/article/KM000040073?"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Loading the Dynamic-Link Libraries (DLLs) using fully qualified paths.<br><br>Apply one of the following patches depending on the version deployed in your environment<br><br>Secure Content Manager 23.4 Patch 3: Patch 219857 \u2013 Content Manager 23.4 Patch 3 Build 260<br>Secure Content Manager 23.4 Patch 1 HF 7: HOTFIX30220 \u2013 Content Manager 23.4 Patch 1 HF 7<br>Secure Content Manager 23.4 Patch 2 HF 1: HOTFIX30427 \u2013 Content Manager 23.4 Patch 2 HF 1"}], "value": "Loading the Dynamic-Link Libraries (DLLs) using fully qualified paths.\n\nApply one of the following patches depending on the version deployed in your environment\n\nSecure Content Manager 23.4 Patch 3: Patch 219857 \u2013 Content Manager 23.4 Patch 3 Build 260\nSecure Content Manager 23.4 Patch 1 HF 7: HOTFIX30220 \u2013 Content Manager 23.4 Patch 1 HF 7\nSecure Content Manager 23.4 Patch 2 HF 1: HOTFIX30427 \u2013 Content Manager 23.4 Patch 2 HF 1"}], "source": {"discovery": "EXTERNAL"}, "title": "Insecure Dynamic-Link Library (DLL) Load vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-17T18:11:41.039129Z", "id": "CVE-2024-12530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T18:34:59.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-17T18:11:41.039129Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T18:34:54.263Z"}}], "cna": {"title": "Insecure Dynamic-Link Library (DLL) Load vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Kirwin Webb of Dvuln"}], "impacts": [{"capecId": "CAPEC-641", "descriptions": [{"lang": "en", "value": "CAPEC-641 DLL Side-Loading"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenText", "product": "Secure Content Manager", "versions": [{"status": "affected", "version": "23.4", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Loading the Dynamic-Link Libraries (DLLs) using fully qualified paths.\n\nApply one of the following patches depending on the version deployed in your environment\n\nSecure Content Manager 23.4 Patch 3: Patch 219857 \u2013 Content Manager 23.4 Patch 3 Build 260\nSecure Content Manager 23.4 Patch 1 HF 7: HOTFIX30220 \u2013 Content Manager 23.4 Patch 1 HF 7\nSecure Content Manager 23.4 Patch 2 HF 1: HOTFIX30427 \u2013 Content Manager 23.4 Patch 2 HF 1", "supportingMedia": [{"type": "text/html", "value": "Loading the Dynamic-Link Libraries (DLLs) using fully qualified paths.<br><br>Apply one of the following patches depending on the version deployed in your environment<br><br>Secure Content Manager 23.4 Patch 3: Patch 219857 \u2013 Content Manager 23.4 Patch 3 Build 260<br>Secure Content Manager 23.4 Patch 1 HF 7: HOTFIX30220 \u2013 Content Manager 23.4 Patch 1 HF 7<br>Secure Content Manager 23.4 Patch 2 HF 1: HOTFIX30427 \u2013 Content Manager 23.4 Patch 2 HF 1", "base64": false}]}], "references": [{"url": "https://portal.microfocus.com/s/article/KM000040073?"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.\n\nEnd-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.", "supportingMedia": [{"type": "text/html", "value": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.<p>This issue affects Secure Content Manager: 23.4.</p>End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2025-04-17T15:35:32.645Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12530", "state": "PUBLISHED", "dateUpdated": "2025-04-17T18:34:59.014Z", "dateReserved": "2024-12-11T14:38:14.057Z", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "datePublished": "2025-04-17T15:35:32.645Z", "assignerShortName": "OpenText"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4.\n\nEnd-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application."}], "id": "CVE-2024-12530", "lastModified": "2025-04-17T20:21:48.243", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2025-04-17T16:15:27.360", "references": [{"source": "security@opentext.com", "url": "https://portal.microfocus.com/s/article/KM000040073?"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security@opentext.com", "type": "Primary"}]}