CVE-2024-52875

High CVSS: 8.8

An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.

Vendor

Gfi

Product

Kerio Control

CWE

CWE-113

Yayın Tarihi

2025-01-31 08:15:07

Güncelleme

2025-09-16 17:29:19

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-113 Kerio Control HIGH Gfi 2025

Referanslar

https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875 http://seclists.org/fulldisclosure/2024/Dec/15

Benzer Kayıtlar

High

CVE-2026-2036

GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…

High

CVE-2026-2037

GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…

Critical

CVE-2026-2038

GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attac…

Critical

CVE-2026-2039

GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote atta…

Medium

CVE-2026-23621

GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the L…

Medium

CVE-2026-23616

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing co…