CVE-2024-2648

Description

A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3.1 Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

CWE-643 CWE-643

CWE-91 CWE-91

Affected Products

Vendor	Product	Versions
netentsec	application_security_gateway	All

References

Exploits

https://github.com/flyyue2001/cve/blob/main/NS-ASG-sql-naccheck.md https://github.com/flyyue2001/cve/blob/main/NS-ASG-sql-naccheck.md

Other References

https://vuldb.com/?ctiid.257286 https://vuldb.com/?id.257286 https://vuldb.com/?ctiid.257286 https://vuldb.com/?id.257286

Frequently Asked Questions

What is CVE-2024-2648? +

A vulnerability, which was classified as problematic, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /nac/naccheck.php. The manipulation of the argument username leads to improper neutralization of data within xpath expressions. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257286 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. It has a CVSS v3.1 base score of 4.3 (MEDIUM).

How severe is CVE-2024-2648? +

CVE-2024-2648 has a CVSS v3.1 score of 4.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2024-2648? +

CVE-2024-2648 affects products from netentsec, specifically: application_security_gateway. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-2648? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-39565 8.8

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows …

CVE-2026-40699 6.5

A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access …

CVE-2025-11844 5.4

Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs …

CVE-2025-20218 4.9

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote …

CVE-2024-2645 4.3

A vulnerability classified as problematic has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part …

CVE-2022-43840 4.3

IBM Aspera Console 3.4.0 through 3.4.4 is vulnerable to an XPath injection vulnerability, which could allow an authenticated attacker to …