Vulnerabilities > CVE-2024-8355 - Unspecified vulnerability in Visteon Infotainment Firmware 74.00.311A

CVSS 6.8 - MEDIUM

Attack vector

PHYSICAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

low complexity

visteon

NVD

Published: 2024-11-22

Updated: 2024-12-19

Summary

Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DeviceManager. When parsing the iAP Serial number, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20112.

Vulnerable Configurations

Part	Description	Count
OS	Visteon Visteon Infotainment Firmware 74.00.311A	1

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1208/