PT-2024-60: Path Traversal leads to Remote Code Execution (RCE) in VideoMost Server

CRITICAL
(9.4) CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free
Request pilot

Vulnerability type:
  • CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vulnerability vector:

  • Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Severity (CVSSv3.1): 9.9 (critical)
  • Base vulnerability score (CVSSv4.0): CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • Severity (CVSSv4.0): 9.4 (critical)

Description:

The vulnerability was identified in VideoMost Server, versions before 9.0.0.1757.

The discovered vulnerability can be exploited by an attacker to remotely execute arbitrary code.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 20.05.2024

Recommendations:

  • Update to version 9.0.0.1757 or higher

Researcher: Georgy Kryuchkov (Positive Technologies)

Identifier:
BDU:2024-04060
Vendor:
Spirit DSP
Vulnerable product:
VideoMost Server
Vulnerable version:
before 9.0.0.1757

Get in touch

Fill in the form and our specialists
will contact you shortly