A vulnerability was found in Cegid Meta4 HR 819.001.022. It has been declared as problematic. This vulnerability affects an unknown functionality of the component Configuration Page. The manipulation with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-698. The web application sends a redirect to another location, but instead of exiting, it executes additional code. As an impact it is known to affect confidentiality. CVE summarizes:

The configuration pages available are not intended to be placed on an Internet facing web server, as they expose file paths to the client, who can be an attacker. Instead of rewriting these pages to avoid this vulnerability, they will be dismissed from future releases of Cegid Meta4 HR, as they do not offer product functionality

The advisory is shared for download at cegid.com. This vulnerability was named CVE-2024-2635 since 03/19/2024. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 03/19/2024). The MITRE ATT&CK project declares the attack technique as T1204.001.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries VDB-139697, VDB-152288, VDB-153996 and VDB-154201 are pretty similar.

Productinfo

Vendor

• Cegid

Name

• Meta4 HR

Version

• 819.001.022

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion