CVE-2024-1890 - Vulnerability Details - OpenCVE

Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sma	Sunny Webbox Sunny Webbox Firmware

Configuration 1 [-]

AND

cpe:2.3:o:sma:sunny_webbox_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sma:sunny_webbox:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products

History

Tue, 11 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:h:sma:cluster_controller:::::::: cpe:2.3:o:sma:cluster_controller_firmware:01.05.01.r:::::::*
Vendors & Products	Sma cluster Controller Sma cluster Controller Firmware

Thu, 27 Feb 2025 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sma Sma cluster Controller Sma cluster Controller Firmware Sma sunny Webbox Sma sunny Webbox Firmware
CPEs		cpe:2.3:h:sma:cluster_controller:::::::: cpe:2.3:h:sma:sunny_webbox:::::::: cpe:2.3:o:sma:cluster_controller_firmware:01.05.01.r:::::::* cpe:2.3:o:sma:sunny_webbox_firmware::::::::
Vendors & Products		Sma Sma cluster Controller Sma cluster Controller Firmware Sma sunny Webbox Sma sunny Webbox Firmware

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-02-26T13:40:27.338Z

Updated: 2024-08-01T18:56:22.676Z

Reserved: 2024-02-26T11:41:42.857Z

Link: CVE-2024-1890

Vulnrichment

Updated: 2024-08-01T18:56:22.676Z

NVD

Status : Analyzed

Published: 2024-02-26T16:27:55.340

Modified: 2025-03-11T14:51:33.223

Link: CVE-2024-1890

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1890", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-02-26T11:41:42.857Z", "datePublished": "2024-02-26T13:40:27.338Z", "dateUpdated": "2024-08-01T18:56:22.676Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sunny Webbox", "vendor": "SMA", "versions": [{"lessThanOrEqual": "1.61", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Matilla Rebollo"}], "datePublic": "2024-02-26T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier."}], "value": "Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-03-07T17:14:11.505Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "title": "Clickjacking vulnerability in Sunny Webbox", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T18:42:20.914349Z", "id": "CVE-2024-1890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T18:42:43.466Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.676Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.676Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-17T18:42:20.914349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T18:42:33.167Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Clickjacking vulnerability in Sunny Webbox", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Matilla Rebollo"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SMA", "product": "Sunny Webbox", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.61"}], "defaultStatus": "unaffected"}], "datePublic": "2024-02-26T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-03-07T17:14:11.505Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1890", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:56:22.676Z", "dateReserved": "2024-02-26T11:41:42.857Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-02-26T13:40:27.338Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sma:sunny_webbox_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AA41F6C-CC24-497B-99E5-F6F4205D0364", "versionEndIncluding": "1.61", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sma:sunny_webbox:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E1D0797-846A-436A-BBEA-EA222E826CBF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [{"sourceIdentifier": "cve-coordination@incibe.es", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier."}, {"lang": "es", "value": "Vulnerabilidad por la cual un atacante podr\u00eda enviar un enlace malicioso a un operador autenticado, lo que podr\u00eda permitir a atacantes remotos realizar un ataque de clickjacking en la versi\u00f3n de firmware 1.6.1 y anteriores de Sunny WebBox."}], "id": "CVE-2024-1890", "lastModified": "2025-03-11T14:51:33.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-26T16:27:55.340", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-sma-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}