CVE-2024-52958

A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://zuso.ai/advisory/za-2024-11	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gss:iota_c.ai:*:*:*:*:*:*:*:*

History

06 Mar 2026, 18:42

Type	Values Removed	Values Added
First Time		Gss Gss iota C.ai
References	~~() https://zuso.ai/advisory/za-2024-11 -~~	() https://zuso.ai/advisory/za-2024-11 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CPE		cpe:2.3:a:gss:iota_c.ai::::::::

27 Nov 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-27 06:15

Updated : 2026-03-06 18:42

NVD link : CVE-2024-52958

Mitre link : CVE-2024-52958

CVE.ORG link : CVE-2024-52958

JSON object : View

Products Affected

gss

iota_c.ai

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-52958", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ART@zuso.ai", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-27T06:15:18.590", "references": [{"url": "https://zuso.ai/advisory/za-2024-11", "tags": ["Third Party Advisory"], "source": "ART@zuso.ai"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ART@zuso.ai", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function."}, {"lang": "es", "value": "Una verificaci\u00f3n incorrecta de la vulnerabilidad de la firma criptogr\u00e1fica en la gesti\u00f3n de complementos en iota C.ai Conversational Platform desde 1.0.0 hasta 2.1.3 permite que usuarios autenticados remotos carguen una DLL maliciosa a trav\u00e9s de la funci\u00f3n de carga del complemento."}], "lastModified": "2026-03-06T18:42:54.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gss:iota_c.ai:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C31D3870-EB20-4CDE-A95C-B9C590FF33A3", "versionEndIncluding": "2.1.3", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ART@zuso.ai"}