{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-10313",
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "state": "PUBLISHED",
        "assignerShortName": "icscert",
        "dateReserved": "2024-10-23T18:25:15.297Z",
        "datePublished": "2024-10-24T17:41:56.069Z",
        "dateUpdated": "2024-10-24T18:29:45.979Z"
    },
    "containers": {
        "cna": {
            "affected": [
                {
                    "defaultStatus": "unaffected",
                    "product": "SpiderControl SCADA PC HMI Editor",
                    "vendor": "iniNet Solutions",
                    "versions": [
                        {
                            "status": "affected",
                            "version": "8.10.00.00"
                        }
                    ]
                }
            ],
            "credits": [
                {
                    "lang": "en",
                    "type": "finder",
                    "value": "elcazator from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc. reported this vulnerability to CISA."
                }
            ],
            "descriptions": [
                {
                    "lang": "en",
                    "supportingMedia": [
                        {
                            "base64": false,
                            "type": "text/html",
                            "value": "iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal \nvulnerability. When the software loads a malicious ‘ems' project \ntemplate file constructed by an attacker, it can write files to \narbitrary directories. This can lead to overwriting system files, \ncausing system paralysis, or writing to startup items, resulting in \nremote control."
                        }
                    ],
                    "value": "iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal \nvulnerability. When the software loads a malicious ‘ems' project \ntemplate file constructed by an attacker, it can write files to \narbitrary directories. This can lead to overwriting system files, \ncausing system paralysis, or writing to startup items, resulting in \nremote control."
                }
            ],
            "metrics": [
                {
                    "cvssV3_1": {
                        "attackComplexity": "LOW",
                        "attackVector": "NETWORK",
                        "availabilityImpact": "HIGH",
                        "baseScore": 8,
                        "baseSeverity": "HIGH",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "HIGH",
                        "privilegesRequired": "LOW",
                        "scope": "UNCHANGED",
                        "userInteraction": "REQUIRED",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                        "version": "3.1"
                    },
                    "format": "CVSS",
                    "scenarios": [
                        {
                            "lang": "en",
                            "value": "GENERAL"
                        }
                    ]
                },
                {
                    "cvssV4_0": {
                        "Automatable": "NOT_DEFINED",
                        "Recovery": "NOT_DEFINED",
                        "Safety": "NOT_DEFINED",
                        "attackComplexity": "LOW",
                        "attackRequirements": "NONE",
                        "attackVector": "NETWORK",
                        "baseScore": 8.6,
                        "baseSeverity": "HIGH",
                        "privilegesRequired": "LOW",
                        "providerUrgency": "NOT_DEFINED",
                        "subAvailabilityImpact": "NONE",
                        "subConfidentialityImpact": "NONE",
                        "subIntegrityImpact": "NONE",
                        "userInteraction": "PASSIVE",
                        "valueDensity": "NOT_DEFINED",
                        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                        "version": "4.0",
                        "vulnAvailabilityImpact": "HIGH",
                        "vulnConfidentialityImpact": "HIGH",
                        "vulnIntegrityImpact": "HIGH",
                        "vulnerabilityResponseEffort": "NOT_DEFINED"
                    },
                    "format": "CVSS",
                    "scenarios": [
                        {
                            "lang": "en",
                            "value": "GENERAL"
                        }
                    ]
                }
            ],
            "problemTypes": [
                {
                    "descriptions": [
                        {
                            "cweId": "CWE-22",
                            "description": "CWE-22 Path Traversal",
                            "lang": "en",
                            "type": "CWE"
                        }
                    ]
                }
            ],
            "providerMetadata": {
                "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
                "shortName": "icscert",
                "dateUpdated": "2024-10-24T17:41:56.069Z"
            },
            "references": [
                {
                    "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02"
                }
            ],
            "solutions": [
                {
                    "lang": "en",
                    "supportingMedia": [
                        {
                            "base64": false,
                            "type": "text/html",
                            "value": "iniNet Solutions recommends that users update SpiderControl SCADA PC HMI Editor to version <a target=\"_blank\" rel=\"nofollow\" href=\"https://spidercontrol.net/download/download-area-2/?lang=en#editor\">8.24.00.00</a> to mitigate this vulnerability.\n\n<br>"
                        }
                    ],
                    "value": "iniNet Solutions recommends that users update SpiderControl SCADA PC HMI Editor to version  8.24.00.00 https://spidercontrol.net/download/download-area-2/  to mitigate this vulnerability."
                }
            ],
            "source": {
                "advisory": "ICSA-24-298-02",
                "discovery": "EXTERNAL"
            },
            "title": "iniNet Solutions SpiderControl SCADA PC HMI Editor Path Traversal",
            "x_generator": {
                "engine": "Vulnogram 0.2.0"
            }
        },
        "adp": [
            {
                "affected": [
                    {
                        "vendor": "spidercontrol",
                        "product": "scada_pc_hmi_editor",
                        "cpes": [
                            "cpe:2.3:a:spidercontrol:scada_pc_hmi_editor:*:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unaffected",
                        "versions": [
                            {
                                "version": "8.10.00.00",
                                "status": "affected"
                            }
                        ]
                    }
                ],
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-10-24T18:23:13.626806Z",
                                "id": "CVE-2024-10313",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "total"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-10-24T18:29:45.979Z"
                }
            }
        ]
    }
}