ByteOS Network

Vulnerability Details :

CVE-2024-6618

Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At-13 Aug, 2024 | 16:37

Updated At-20 Aug, 2024 | 16:31

Path Traversal in Ocean Data Systems Dream Report

In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:icscert

Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At:13 Aug, 2024 | 16:37

Updated At:20 Aug, 2024 | 16:31

▼CVE Numbering Authority (CNA)

Path Traversal in Ocean Data Systems Dream Report

In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).

Affected Products

Vendor

Ocean Data Systems

Product

Dream Report 2023

Default Status

unaffected

Versions

Affected

From 0 through 23.0.17795.1010 (custom)

Vendor

AVEVA

Product

Reports for Operations

Default Status

unaffected

Versions

Affected

23.0.17795.1010

Problem Types

Type	CWE ID	Description
CWE	CWE-22	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Type: CWE

CWE ID: CWE-22

Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Metrics

Version	Base score	Base severity	Vector
4.0	8.5	HIGH	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Version: 4.0

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Solutions

Ocean Data Systems recommends users update to the following: * Dream Report 2023 R2: Version 23.3.18952.0523 For more information, see Dream Report Version 2023 R2 Released https://dreamreport.net/ . AVEVA recommends users of affected versions upgrade to the versions listed below and apply the corresponding security update: * Update to AVEVA Reports for Operations 2023 R2 https://softwaresupportsp.aveva.com/#/producthub/details or later For more information, see security bulletin AVEVA-2024-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-006.pdf .

Credits

finder

Claroty Team82 reported these vulnerabilities to CISA.

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08	government-resource

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08

Resource:

government-resource

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Vendor

ocean_data_systems

Product

dream_report_2023

CPEs

cpe:2.3:a:ocean_data_systems:dream_report_2023:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

From 0 through 23.0.17795.1010 (custom)

Vendor

AVEVA

Product

reports_for_operations_2023

CPEs

cpe:2.3:a:aveva:reports_for_operations_2023:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

23.0.17795.1010

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:ics-cert@hq.dhs.gov

Published At:13 Aug, 2024 | 17:15

Updated At:13 Aug, 2024 | 17:15

In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.5	HIGH	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-22	Primary	ics-cert@hq.dhs.gov

CWE ID: CWE-22

Type: Primary

Source: ics-cert@hq.dhs.gov

References

Hyperlink	Source	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08	ics-cert@hq.dhs.gov	N/A

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08

Source: ics-cert@hq.dhs.gov

Resource: N/A

Similar CVEs

5Records found

CVE-2024-6619

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-8

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-8.5||HIGH

EPSS-0.03% / 8.06%

7 Day CHG~0.00%

Published-13 Aug, 2024 | 16:41

Updated-14 Aug, 2024 | 14:37

Incorrect Permission Assignment for Critical Resource in Ocean Data Systems Dream Report

In Ocean Data Systems Dream Report, an incorrect permission vulnerability could allow a local unprivileged attacker to escalate their privileges and could cause a denial-of-service.

Vendor-Ocean Data Systems ocean_data_systems AVEVA

Product-Reports for Operations 2023 Dream Report 2023 dream_report_2023 reports_for_operations_2023

CWE ID-CWE-732

Incorrect Permission Assignment for Critical Resource

CVE-2022-23854

Matching Score-6

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-6

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-7.5||HIGH

EPSS-92.61% / 99.73%

7 Day CHG~0.00%

Published-23 Dec, 2022 | 20:50

Updated-13 Feb, 2025 | 17:15

AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.

Vendor-AVEVA

Product-intouch_access_anywhere InTouch Access Anywhere

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE ID-CWE-23

Relative Path Traversal

CVE-2021-42797

Matching Score-6

Assigner-MITRE Corporation

View Details

Matching Score-6

Assigner-MITRE Corporation

CVSS Score-7.5||HIGH

EPSS-0.40% / 60.00%

7 Day CHG~0.00%

Published-16 Dec, 2023 | 00:00

Updated-04 Aug, 2024 | 03:38

Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources.

Vendor-n/a AVEVA

Product-edge n/a

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2021-32981

Matching Score-6

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-6

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-7.2||HIGH

EPSS-0.24% / 46.67%

7 Day CHG~0.00%

Published-04 Apr, 2022 | 19:45

Updated-16 Apr, 2025 | 17:56

AVEVA System Platform Path Traversal

AVEVA System Platform versions 2017 through 2020 R2 P01 uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vendor-AVEVA

Product-system_platform AVEVA System Platform

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2013-10046

Matching Score-4

Assigner-VulnCheck

View Details

Matching Score-4

Assigner-VulnCheck

CVSS Score-8.5||HIGH

EPSS-0.02% / 4.60%

7 Day CHG+0.01%

Published-01 Aug, 2025 | 20:37

Updated-04 Aug, 2025 | 15:06

Agnitum Outpost Internet Security Local Privilege Escalation

A local privilege escalation vulnerability exists in Agnitum Outpost Internet Security 8.1 that allows an unprivileged user to execute arbitrary code with SYSTEM privileges. The flaw resides in the acs.exe component, which exposes a named pipe that accepts unauthenticated commands. By exploiting a directory traversal weakness in the pipe protocol, an attacker can instruct the service to load a malicious DLL from a user-controlled location. The DLL is then executed in the context of the privileged service.

Vendor-Agnitum Ltd.

Product-Outpost Internet Security

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE ID-CWE-306

Missing Authentication for Critical Function

CVE-2024-6618

Credits

Path Traversal in Ocean Data Systems Dream Report

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Affected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs