CVE-2024-28060 | Cyber Solutions By Thales

Abstract Advisory Information

An issue was discovered in Apiris Kafeo 6.4.4. It permits DLL hijacking, allowing a user to trigger the execution of arbitrary code every time the product is executed.

Author: Dominique RIGHETTO

Version affected

Name: APIRIS

Versions: Kafeo – 6.4.4

Common Vulnerability Scoring System

2.4

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Patches

No patch given

References

https://www.kafeo.com/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28060

Vulnerability Disclosure Timeline

15/01/2024: Vulnerability discovery
16/01/2024: Vulnerability Report to CERT-XLM
19/01/2024: Vulnerability Report to Vendor through contact@kafeo.com, contact@apiris.fr emails and form
27/02/2024: Vulnerability Report resend to Vendor through contact@kafeo.com, contact@apiris.fr emails and form
27/02/2024: Called vendor, no response
27/02/2024: Request CVE ID to Mitre
01/03/2024: CVE IDs assigned CVE-2024-28060
23/05/2024: Expected Vulnerability disclosure