CVE-2024-5670

EUVD-2024-46843
The web services of Softnext's products, Mail SQR Expert and Mail Archiving Expert do not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the remote server.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
softnextsn_os
10.3
softnextsn_os
12.1
softnextsn_os
12.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
softnextmail_sqr_expert
12.1 ≤
𝑥
< 230922
ADP
softnextmail_sqr_expert
12.3 ≤
𝑥
< 230922
ADP
softnextmail_sqr_expert
10.3 ≤
𝑥
< 230631
ADP
softnextmail_archiving_expert
12.1 ≤
𝑥
< 230922
ADP
softnextmail_archiving_expert
12.3 ≤
𝑥
< 230922
ADP
softnextmail_archiving_expert
10.3 ≤
𝑥
< 230631
ADP
Common Weakness Enumeration
References
https://www.twcert.org.tw/en/cp-139-7959-09d0e-2.html
https://www.twcert.org.tw/tw/cp-132-7958-817f4-1.html
https://www.twcert.org.tw/en/cp-139-7959-09d0e-2.html
https://www.twcert.org.tw/tw/cp-132-7958-817f4-1.html