CVE-2024-46506

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-46506

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46506.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-46506

Published

2025-05-13T16:15:23.527Z

Modified

2026-04-10T05:18:01.181093Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php.

References

https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/

Affected packages

Git / github.com/jokob-sk/netalertx

Affected ranges

Type

GIT

Repo

https://github.com/jokob-sk/netalertx

Events

Introduced

3c13f82d61cd7599f84e750f364c9872ac579316

Fixed

d36486ef6de3985dac19195cf333e4de31601bcb

Database specific

{
    "versions": [
        {
            "introduced": "23.01.14"
        },
        {
            "fixed": "24.10.12"
        }
    ]
}

Affected versions

23.*

23.01.14

23.01.22-HF01

v23.*

v23.01.22

v23.01.22-HF02

v23.02.02

v23.03.11

v23.04.01

v23.10.2

v23.11.11

v23.12.16

v23.5.7

v23.6.16

v23.7.22

v23.9.10

v23.9.11

v23.9.12

v24.*

v24.01.18

v24.2.16

v24.2.17

v24.3.19

v24.5.9

v24.6.8

v24.7.18

v24.9.12

v24.9.26

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46506.json"