[Japanese]

JVNDB-2024-013260

Multiple vulnerabilities in Edgecross Basic Software for Windows

Overview

Edgecross Basic Software for Windows provided by Edgecross Consortium contains multiple vulnerabilities listed below.

* Incorrect default permissions (CWE-276) - CVE-2024-4229
* External control of file name or path (CWE-73) - CVE-2024-4230

Edgecross Consortium reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

Affected Products


Edgecross Consortium
  • Edgecross Basic Software for Windows ECP-BS1-W versioin 1.00 and earlier
  • Edgecross Basic Software for Developers ECP-BS1-W-D version 1.00 and earlier

Note that CVE-2024-4229 vulnerability affects only when executing the installation by specifying the other folders which are not specified/changed by an administrative user.
Impact

Successful exploitation of these vulnerabilities could allow an attacker to execute a malicious program on the system, which may lead to information disclosure, tampering of information, or a denial-of-service (DoS) condition.
Solution

[Apply the Workaround]
Applying the following workaround may mitigate the impacts of these vulnerabilities.

* CVE-2024-4229
- Install the product with the default installation folder or specify a folder which only an administrative user specifiies/changes

* CVE-2024-4230
- When specifying a program using the program execution feedback settings of the real-time flow designer, specify a trusted file only

* CVE-2024-4229, CVE-2024-4230
- When connecting the PC that uses the product to the Internet, protect unauthorized access with a firewall or virtual private network (VPN), etc., and only allow remote logins from trusted users
- Use the PC that uses the product within a LAN, and block remote logins from untrusted networks, hosts, and users
- Do not open untrusted files (especially project files) nor click untrusted links
Vendor Information

Edgecross Consortium
CWE (What is CWE?)

  1. Incorrect Default Permissions(CWE-276) [Other]
  2. External Control of File Name or Path(CWE-73) [Other]
CVE (What is CVE?)

  1. CVE-2024-4229
  2. CVE-2024-4230
References

  1. JVN : JVNVU#92857077
Revision History

  • [2024/11/22]
      Web page was published

Date Public2024/11/21
Date First Published2024/11/22
Date Last Updated2024/11/22