CVE-2024-57968 : Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload

Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.

Published 2025-02-03 00:00:00

Updated 2025-03-13 14:31:46

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2024-57968

Veracore » *
Versions before (<) 2024.4.2.1
cpe:2.3:advantive:veracore:*:*:*:*:*:*:*:*
Matching versions
Advantive » Veracore
Versions before (<) 2024.4.2.1
cpe:2.3:a:advantive:veracore:*:*:*:*:*:*:*:*
Matching versions

CVE-2024-57968 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Advantive VeraCore Unrestricted File Upload Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.

Notes:

https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1 ; https://nvd.nist.gov/vuln/detail/CVE-2024-57968

Added on 2025-03-10 Action due date 2025-03-31

Exploit prediction scoring system (EPSS) score for CVE-2024-57968

EPSS FAQ

7.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-57968

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	N/A	N/A	MITRE	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	MITRE	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2025-03-13
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-57968

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Assigned by:
- 8254265b-2729-46b6-b9e3-3dfca2d5bfca (Primary)
- cve@mitre.org (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2024-57968

https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1

VeraCore Release Notes - 2024.4.2.1
Product;Release Notes
https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://intezer.com/blog/research/xe-group-exploiting-zero-days/

XE Group: From Credit Card Skimming to Exploiting Zero-Days
Exploit;Technical Description;Third Party Advisory

CVEs referencing this url