CVE-2024-31801

Security Advisory

Topic:          Directory Traversal vulnerability in NEXSYS-ONE v.before Rev.15320 allows a remote attacker to obtain sensitive information via a crafted request.
Category:       NEXSYS-ONE
Module:         VideoStream
Announced:      09-04-2024
Credits:        Ahmed Kameran --- https://twitter.com/hamoshwani
CVE ID:         CVE-2024-31801
Affects:        NEXSYS-ONE - < Rev.15320
Corrected:      NEXSYS-ONE - > Rev.15320

1.   Background

CVE-2024-31801 denotes a Directory Traversal vulnerability discovered in versions of NEXSYS-ONE preceding Rev.15320. This flaw allows remote attackers to illicitly access sensitive information via meticulously crafted requests.

2.  Problem Description

CVE-2024-31801 exposes a Directory Traversal vulnerability in NEXSYS-ONE prior to Rev.15320. 
Attackers exploit a flaw in the Video Stream Component, injecting malicious file paths to access sensitive local files remotely. This leads to unauthorized disclosure of critical data, jeopardizing system confidentiality and integrity.e the injected payload that can lead to Local file read

Vulenrable models: VideoStream

3. Impact
The exploitation of CVE-2024-31801 in NEXSYS-ONE software versions preceding Rev.15320 results in severe information disclosure. Attackers can remotely access sensitive local files, compromising the confidentiality of critical data. 
This breach undermines system integrity, potentially leading to further exploitation and data breaches.

4.   Solution
To mitigate CVE-2024-31801, users should upgrade their NEXSYS-ONE software to versions released after Rev.15320. 
These updated versions contain patches and security enhancements that address the Directory Traversal vulnerability, effectively safeguarding against remote exploitation and unauthorized information disclosure.