CVE-2024-13980

H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined.Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
VulnCheckCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Common Weakness Enumeration
References
https://axsec.blog.csdn.net/article/details/141003376
https://blog.csdn.net/nnn2188185/article/details/141065540
https://blog.csdn.net/weixin_48539059/article/details/141033966
https://github.com/OJZen/FckESC/blob/master/%E5%86%85%E7%BD%91%E7%99%BB%E5%BD%95%E8%BF%87%E7%A8%8B.txt
https://www.h3c.com/cn/Service/Online_Help/psirt/
https://www.vulncheck.com/advisories/h3c-intelligent-management-center-rce