SA-2024-056 - less Vulnerability (CVE-2024-32487) - Extreme Networks

Summary

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

Products not listed in the Impact Details section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.

Impact Details

OS/Product	Exposure
ExtremeCloud IQ - Site Engine (XIQ-SE)	No

Repair Recommendations

None

Please see the full Security Advisory article here for more details and updates.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Extreme Networks

SA-2024-056 - less Vulnerability (CVE-2024-32487)

SA-2023-047 - Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (Leaking fr

SA-2023-107 - libcurl cookie injection with none file (CVE-2023-38546)

SA-2023-106 - SOCKS5 heap buffer overflow (CVE-2023-38545)