CVE-2024-9150

Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and executing OS commands on a host system with applications high privileges. This issue has been fixed in version 8.0.00204.0

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/02/CVE-2024-9150
https://efigo.pl/blog/cve-2024-9150/
https://www.wynenterprise.com/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) La función de generación de informes de Wyn Enterprise permite la inclusión de código, pero no limita lo suficiente el código que se puede incluir. Un atacante puede usar una cuenta con privilegios bajos para abusar de esta función y ejecutar código malicioso, cargar librerías DLL y ejecutar comandos del sistema operativo en un sistema host con aplicaciones con privilegios altos. Este problema se ha solucionado en la versión 8.0.00204.0

21 Feb 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-21 12:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-9150

Mitre link : CVE-2024-9150

CVE.ORG link : CVE-2024-9150

JSON object : View

Products Affected

No product.

CWE

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

{"id": "CVE-2024-9150", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-21T12:15:30.463", "references": [{"url": "https://cert.pl/en/posts/2025/02/CVE-2024-9150", "source": "cvd@cert.pl"}, {"url": "https://efigo.pl/blog/cve-2024-9150/", "source": "cvd@cert.pl"}, {"url": "https://www.wynenterprise.com/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and executing OS commands on a host system with applications high privileges.\nThis issue has been fixed in version\u00a08.0.00204.0"}, {"lang": "es", "value": "La funci\u00f3n de generaci\u00f3n de informes de Wyn Enterprise permite la inclusi\u00f3n de c\u00f3digo, pero no limita lo suficiente el c\u00f3digo que se puede incluir. Un atacante puede usar una cuenta con privilegios bajos para abusar de esta funci\u00f3n y ejecutar c\u00f3digo malicioso, cargar librer\u00edas DLL y ejecutar comandos del sistema operativo en un sistema host con aplicaciones con privilegios altos. Este problema se ha solucionado en la versi\u00f3n 8.0.00204.0"}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cvd@cert.pl"}