CVE-2024-10456 – Delta Electronics InfraSuite Device Master Deserialization of Untrusted Data

https://notcve.org/view.php?id=CVE-2024-10456

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. Las versiones de Delta Electronics InfraSuite Device Master anteriores a 1.0.12 se ven afectadas por una vulnerabilidad de deserialización que afecta a Device-Gateway, lo que podría permitir la deserialización de objetos .NET arbitrarios antes de la autenticación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the _gExtraInfo attribute. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 • CWE-502: Deserialization of Untrusted Data •