CVE-2024-52959

A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://zuso.ai/advisory/za-2024-12	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gss:iota_c.ai:*:*:*:*:*:*:*:*

History

06 Mar 2026, 18:48

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gss:iota_c.ai::::::::
References	~~() https://zuso.ai/advisory/za-2024-12 -~~	() https://zuso.ai/advisory/za-2024-12 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
First Time		Gss Gss iota C.ai

27 Nov 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-27 06:15

Updated : 2026-03-06 18:48

NVD link : CVE-2024-52959

Mitre link : CVE-2024-52959

CVE.ORG link : CVE-2024-52959

JSON object : View

Products Affected

gss

iota_c.ai

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-52959", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ART@zuso.ai", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-27T06:15:19.083", "references": [{"url": "https://zuso.ai/advisory/za-2024-12", "tags": ["Third Party Advisory"], "source": "ART@zuso.ai"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ART@zuso.ai", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file."}, {"lang": "es", "value": "Una vulnerabilidad de control inadecuado de generaci\u00f3n de c\u00f3digo ('inyecci\u00f3n de c\u00f3digo') en la gesti\u00f3n de complementos en iota C.ai Conversational Platform desde la versi\u00f3n 1.0.0 hasta la 2.1.3 permite a usuarios autenticados remotos ejecutar comandos arbitrarios del sistema a trav\u00e9s de un archivo DLL."}], "lastModified": "2026-03-06T18:48:54.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gss:iota_c.ai:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C31D3870-EB20-4CDE-A95C-B9C590FF33A3", "versionEndIncluding": "2.1.3", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ART@zuso.ai"}