Vulnerability-Lookup

CNVD-2024-09643

Vulnerability from cnvd - Published: 2024-02-22

Title

openBI代码注入漏洞

Description

openBI是openBI公司的一个大数据可视化解决方案。 openBI 1.0.8及之前版本存在代码注入漏洞，该漏洞源于/application/index/controller/Screen.php文件的index 函数存在问题，可能导致代码注入。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

openBI代码注入漏洞的补丁

Patch Description

openBI是openBI公司的一个大数据可视化解决方案。 openBI 1.0.8及之前版本存在代码注入漏洞，该漏洞源于/application/index/controller/Screen.php文件的index 函数存在问题，可能导致代码注入。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已提供漏洞修复方案，请关注厂商主页更新： http://openbi.com/

Reference

https://cxsecurity.com/cveshow/CVE-2024-1117/

Impacted products

Name
openBI openBI <=1.0.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-1117"
    }
  },
  "description": "openBI\u662fopenBI\u516c\u53f8\u7684\u4e00\u4e2a\u5927\u6570\u636e\u53ef\u89c6\u5316\u89e3\u51b3\u65b9\u6848\u3002\n\nopenBI 1.0.8\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/application/index/controller/Screen.php\u6587\u4ef6\u7684index \u51fd\u6570\u5b58\u5728\u95ee\u9898\uff0c\u53ef\u80fd\u5bfc\u81f4\u4ee3\u7801\u6ce8\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttp://openbi.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-09643",
  "openTime": "2024-02-22",
  "patchDescription": "openBI\u662fopenBI\u516c\u53f8\u7684\u4e00\u4e2a\u5927\u6570\u636e\u53ef\u89c6\u5316\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nopenBI 1.0.8\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/application/index/controller/Screen.php\u6587\u4ef6\u7684index \u51fd\u6570\u5b58\u5728\u95ee\u9898\uff0c\u53ef\u80fd\u5bfc\u81f4\u4ee3\u7801\u6ce8\u5165\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "openBI\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "openBI openBI \u003c=1.0.8"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-1117/",
  "serverity": "\u9ad8",
  "submitTime": "2024-02-02",
  "title": "openBI\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2024-1117 (GCVE-0-2024-1117)

Vulnerability from cvelistv5 – Published: 2024-01-31 20:31 – Updated: 2025-05-29 15:03

Title

openBI Screen.php index code injection

Summary

A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252475.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-94 - Code Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.252475	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.252475	signaturepermissions-required
	https://note.zhaoj.in/share/Liu1nbjddxu4	broken-linkexploit

Impacted products

	Vendor	Product	Version
	n/a	openBI	Affected: 1.0.0 Affected: 1.0.1 Affected: 1.0.2 Affected: 1.0.3 Affected: 1.0.4 Affected: 1.0.5 Affected: 1.0.6 Affected: 1.0.7 Affected: 1.0.8

Credits

glzjin (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:26:30.500Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.252475"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.252475"
          },
          {
            "tags": [
              "broken-link",
              "exploit",
              "x_transferred"
            ],
            "url": "https://note.zhaoj.in/share/Liu1nbjddxu4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1117",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T15:42:24.270396Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-29T15:03:18.752Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openBI",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            },
            {
              "status": "affected",
              "version": "1.0.4"
            },
            {
              "status": "affected",
              "version": "1.0.5"
            },
            {
              "status": "affected",
              "version": "1.0.6"
            },
            {
              "status": "affected",
              "version": "1.0.7"
            },
            {
              "status": "affected",
              "version": "1.0.8"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "glzjin (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252475."
        },
        {
          "lang": "de",
          "value": "In openBI bis 1.0.8 wurde eine kritische Schwachstelle ausgemacht. Es geht um die Funktion index der Datei /application/index/controller/Screen.php. Durch die Manipulation des Arguments fileurl mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-09T19:13:40.355Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.252475"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.252475"
        },
        {
          "tags": [
            "broken-link",
            "exploit"
          ],
          "url": "https://note.zhaoj.in/share/Liu1nbjddxu4"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-01-31T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-01-31T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-01-31T14:15:40.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "openBI Screen.php index code injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-1117",
    "datePublished": "2024-01-31T20:31:04.310Z",
    "dateReserved": "2024-01-31T13:10:20.038Z",
    "dateUpdated": "2025-05-29T15:03:18.752Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-09643

CVE-2024-1117 (GCVE-0-2024-1117)

Tags

Sightings

Nomenclature