CVE-2024-23749
KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.
Published
2024-02-09T08:15:08.530
Last Modified
2025-05-15T20:15:44.290
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 7.8 (HIGH)
Weaknesses
-
Type: Primary
CWE-77
-
Type: Secondary
CWE-77
Affected Vendors & Products
| Type |
Vendor |
Product |
Version/Range |
Vulnerable? |
| Application |
9bis
|
kitty
|
≤ 0.76.1.13 |
Yes
|
References
-
http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
Exploit, Third Party Advisory, VDB Entry
([email protected])
-
http://seclists.org/fulldisclosure/2024/Feb/13
Exploit, Mailing List, Third Party Advisory
([email protected])
-
http://seclists.org/fulldisclosure/2024/Feb/14
Exploit, Mailing List, Third Party Advisory
([email protected])
-
https://blog.defcesco.io/CVE-2024-23749
Exploit, Third Party Advisory
([email protected])
-
http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
Exploit, Third Party Advisory, VDB Entry
(af854a3a-2127-422b-91ae-364da2661108)
-
http://seclists.org/fulldisclosure/2024/Feb/13
Exploit, Mailing List, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
http://seclists.org/fulldisclosure/2024/Feb/14
Exploit, Mailing List, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://blog.defcesco.io/CVE-2024-23749
Exploit, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)