CVE-2024-41954

MEDIUM

Fogproject < 1.5.10.41 - Incorrect Permission Assignment

Title source: rule

Description

FOG is a cloning/imaging/rescue suite/inventory management system. The application stores plaintext service account credentials in the "/opt/fog/.fogsettings" file. This file is by default readable by all users on the host. By exploiting these credentials, a malicious user could create new accounts for the web application and much more. The vulnerability is fixed in 1.5.10.41.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/FOGProject/fogproject/security/advisories/GHSA-pcqm-h8cx-282c

Patch x_refsource_misc

https://github.com/FOGProject/fogproject/commit/97ed6d51608e52fc087ca1d2f03d6b8df612fc90

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0010

EPSS Percentile 26.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (1)

fogproject/fogproject 1.5.10 - 1.5.10.41

Published Jul 31, 2024

Tracked Since Feb 18, 2026