CVE-2024-41108

Public Exploit

FOG Sensitive Information Disclosure

Description

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" will be returned. The domainpassword in the hostinfo dump is hidden even to authenticated users, as it is displayed as a row of asterisks when navigating to the host's Active Directory settings. This vulnerability is fixed in 1.5.10.41.

References

Link	Tags
https://github.com/FOGProject/fogproject/security/advisories/GHSA-p3f9-4jj4-fm2g	vendor advisory exploit
https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/service/hostinfo.php	product
https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/service/hostname.php	product

Frequently Asked Questions

What is the severity of CVE-2024-41108?: CVE-2024-41108 has been scored as a high severity vulnerability.
How to fix CVE-2024-41108?: To fix CVE-2024-41108, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-41108 being actively exploited in the wild?: It is possible that CVE-2024-41108 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-41108?: CVE-2024-41108 affects FOGProject fogproject.

Description

Categories

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-862 – Missing Authorization

References

Frequently Asked Questions