CVE-2024-23749

HIGH

9bis Kitty < 0.76.1.13 - Command Injection

Title source: rule

Description

KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.

Exploits (1)

exploitdb WORKING POC

by DEFCESCO · pythonlocalwindows

https://www.exploit-db.com/exploits/51892

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Feb/13

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Feb/14

[Exploit, Third Party Advisory] https://blog.defcesco.io/CVE-2024-23749

Scores

CVSS v3 7.8

EPSS 0.0031

EPSS Percentile 54.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (1)

9bis/kitty < 0.76.1.13

Published Feb 09, 2024

Tracked Since Feb 18, 2026