CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-23749: KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and...

Description

KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.

Classification

CVE ID: CVE-2024-23749

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.19% (probability of being exploited)

EPSS Percentile: 41.87% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23749
http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
https://blog.defcesco.io/CVE-2024-23749
http://seclists.org/fulldisclosure/2024/Feb/13
http://seclists.org/fulldisclosure/2024/Feb/14

Timeline

2025-05-15 20:40:14 UTC
CVE

KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and...