Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DeviceManager. When parsing the iAP Serial number, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20112.
History

Thu, 19 Dec 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Visteon infotainment Firmware
CPEs cpe:2.3:o:visteon:infotainment_firmware:74.00.311a:*:*:*:*:*:*:*
Vendors & Products Visteon infotainment Firmware
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Tue, 26 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Visteon
Visteon infotainment
CPEs cpe:2.3:a:visteon:infotainment:74.00.311a:*:*:*:*:*:*:*
Vendors & Products Visteon
Visteon infotainment
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 22 Nov 2024 21:45:00 +0000

Type Values Removed Values Added
Description Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DeviceManager. When parsing the iAP Serial number, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20112.
Title Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 6.8, 'vector': 'CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-11-22T21:32:37.615Z

Updated: 2024-11-26T15:38:24.205Z

Reserved: 2024-08-30T16:16:00.836Z

Link: CVE-2024-8355

cve-icon Vulnrichment

Updated: 2024-11-26T15:19:57.269Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-22T22:15:18.860

Modified: 2024-12-19T18:47:39.363

Link: CVE-2024-8355

cve-icon Redhat

No data.