CVE-2024-24721

Abstract Advisory Information

The password form used to authenticate is prone to Brute Force Attack

Author: Julien Blommaert

Version affected

Vendor : Innovaphone AG

Product : Innovaphone PBX

Versions: prior to 14r1

Common Vulnerability Scoring System

5.4

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Patches

14r1

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24721

Vulnerability Disclosure Timeline

• 06/10/2023: Vulnerability discovery
• 09/10/2023: Vulnerability report to CERT-XLM
• 17/10/2023: Vulnerability report to Vendor through emails
• 24/10/2023: Vulnerability report to Vendor through email
• 07/11/2023 Called vendor, vendor gave contact information
• 07/11/2023: Vulnerability report to Vendor through email
• 09/11/2023: Reply from vendor, asking for the vulnerability details
• 14/11/2023: Vulnerability Report shared to the vendor
• 15/11/2023: Acknowledge from vendor
• 21/11/2023: Asked the vendor for an update
• 22/11/2023: Vendor confirmed ticket creation on their side
• 23/11/2023: Vendor confirmed fix is in progress
• 28/11/2023: Update asked to vendor
• 4/12/2023: Vendor informed us it’s going to be fixed in version 14r1
• 12/12/2023: Asked for the release date of the fix again
• 13/12/2023: Estimation of the expected release date provided (end of 2023)
• 16/01/2024: Asked for release confirmation
• 17/01/2024: Vendor confirmed patch has been released
• 18/01/2024: Request CVE ID to Mitre
• 27/01/2024:  CVE IDs assigned : Use CVE-2024-24721
• 08/02/2024: Publication