Versa Director GUI Misuse of Change Favicon Allows Malicious PNG Upload
CVE-2024-39717 Published on August 22, 2024
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The Change Favicon (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
Known Exploited Vulnerability
This Versa Director Dangerous File Type Upload Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. The Versa Director GUI contains an unrestricted upload of file with dangerous type vulnerability that allows administrators with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to customize the user interface. The “Change Favicon” (Favorite Icon) enables the upload of a .png file, which can be exploited to upload a malicious file with a .png extension disguised as an image.
The following remediation steps are recommended / required by September 13, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2024-39717 has been classified to as an Unrestricted File Upload vulnerability or weakness.
Products Associated with CVE-2024-39717
Want to know whenever a new CVE is published for Versa Networks Versa Director? stack.watch will email you.
Affected Versions
Versa Director:- Version 21.2.2, <= 21.2.2 is affected.
- Version 21.2.3 before 2024-06-21 and below 21.2.3 before 2024-06-21 is affected.
- Version 22.1.1, <= 22.1.1 is affected.
- Version 22.1.2 before 2024-06-21, <= 22.1.2 before 2024-06-21 is affected.
- Version 22.1.3 before 2024-06-21, <= 22.1.3 before 2024-06-21 is affected.
- Version 21.2.2 is affected.
- Version 21.2.3 and below 21.2.3_2024-06-21 is affected.
- Version 22.1.1 is affected.
- Version 22.1.2 and below 22.1.2_2024-06-21 is affected.
- Version 22.1.3 and below 22.1.3_2024-06-21 is affected.
- Version 21.2.2 is affected.
- Version 21.2.3 and below 21.2.3_2024-06-21 is affected.
- Version 22.1.1 is affected.
- Version 22.1.2 and below 22.1.2_2024-06-21 is affected.
- Version 22.1.3 and below 22.1.3_2024-06-21 is affected.
- Version 21.2.2 is affected.
- Version 21.2.3 and below 21.2.3_2024-06-21 is affected.
- Version 22.1.1 is affected.
- Version 22.1.2 and below 22.1.2_2024-06-21 is affected.
- Version 22.1.3 and below 22.1.3_2024-06-21 is affected.
- Version 21.2.2 is affected.
- Version 21.2.3 and below 21.2.3_2024-06-21 is affected.
- Version 22.1.1 is affected.
- Version 22.1.2 and below 22.1.2_2024-06-21 is affected.
- Version 22.1.3 and below 22.1.3_2024-06-21 is affected.
- Version 21.2.2 is affected.
- Version 21.2.3 and below 21.2.3_2024-06-21 is affected.
- Version 22.1.1 is affected.
- Version 22.1.2 and below 22.1.2_2024-06-21 is affected.
- Version 22.1.3 and below 22.1.3_2024-06-21 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.