Multiple vulnerabilities in upKeeper Manager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2024-42464 CVE-2024-42466 CVE-2024-42463 CVE-2024-42462 CVE-2024-42465 |
| CWE-ID | CWE-639 CWE-307 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
upKeeper Manager Other software / Other software solutions |
| Vendor | upKeeper Solutions |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Authorization bypass through user-controlled key
EUVDB-ID: #VU96501
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42464
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to authorization bypass through user-controlled key. A remote user can send a specially crafted request and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsupKeeper Manager: 5.1.9
CPE2.3- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:5.1.9:*:*:*:*:*:*:*
http://support.upkeeper.se/hc/en-us/articles/15432275702044-CVE-2024-42464-Leak-of-user-Information
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Restriction of Excessive Authentication Attempts
EUVDB-ID: #VU96502
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42466
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can conduct brute force attacks and bypass authentication.
MitigationInstall updates from vendor's website.
Vulnerable software versionsupKeeper Manager: 5.1.9
CPE2.3- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:5.1.9:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Authorization bypass through user-controlled key
EUVDB-ID: #VU96504
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42463
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to authorization bypass through user-controlled key. A remote user can send a specially crafted request and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsupKeeper Manager: 5.1.9
CPE2.3- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:5.1.9:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Authentication
EUVDB-ID: #VU96505
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42462
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests in the administration login process. A remote attacker can bypass authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsupKeeper Manager: 5.1.9
CPE2.3- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:5.1.9:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Restriction of Excessive Authentication Attempts
EUVDB-ID: #VU96503
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-42465
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can conduct brute force attacks and bypass authentication.
MitigationInstall updates from vendor's website.
Vulnerable software versionsupKeeper Manager: 5.1.9
CPE2.3- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:upkeeper_solutions:upkeeper_manager:5.1.9:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
