CVE-2024-22060 - Vulnerability Details - OpenCVE

An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ivanti	Neurons For Itsm

Configuration 1 [-]

cpe:2.3:a:ivanti:neurons_for_itsm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://forums.ivanti.com/s/article/Security-Advisory-May-2024

History

Mon, 30 Jun 2025 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ivanti Ivanti neurons For Itsm
CPEs		cpe:2.3:a:ivanti:neurons_for_itsm::::::::
Vendors & Products		Ivanti Ivanti neurons For Itsm
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}`

Sun, 25 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-434

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-05-31T17:38:31.402Z

Updated: 2024-08-25T14:58:44.653Z

Reserved: 2024-01-05T01:04:06.643Z

Link: CVE-2024-22060

Vulnrichment

Updated: 2024-08-01T22:35:34.702Z

NVD

Status : Analyzed

Published: 2024-05-31T18:15:10.660

Modified: 2025-06-30T18:28:16.107

Link: CVE-2024-22060

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22060", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-01-05T01:04:06.643Z", "datePublished": "2024-05-31T17:38:31.402Z", "dateUpdated": "2024-08-25T14:58:44.653Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Ivanti ", "product": "ITSM", "versions": [{"version": "2023.3", "status": "affected", "lessThanOrEqual": "2023.3", "versionType": "semver"}]}], "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-05-31T17:38:31.402Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.702Z"}, "title": "CVE Program Container", "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "affected": [{"vendor": "ivanti", "product": "neurons_for_itsm", "cpes": ["cpe:2.3:a:ivanti:neurons_for_itsm:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "2023.4", "status": "affected"}, {"version": "2023.3", "status": "affected"}, {"version": "2023.2", "status": "affected"}, {"version": "2023.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T17:53:19.852897Z", "id": "CVE-2024-22060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-25T14:58:44.653Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.702Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-06T17:53:19.852897Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ivanti:neurons_for_itsm:*:*:*:*:*:*:*:*"], "vendor": "ivanti", "product": "neurons_for_itsm", "versions": [{"status": "affected", "version": "2023.4"}, {"status": "affected", "version": "2023.3"}, {"status": "affected", "version": "2023.2"}, {"status": "affected", "version": "2023.1"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-25T14:58:40.720Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H"}}], "affected": [{"vendor": "Ivanti ", "product": "ITSM", "versions": [{"status": "affected", "version": "2023.3", "versionType": "semver", "lessThanOrEqual": "2023.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024"}], "descriptions": [{"lang": "en", "value": "An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-05-31T17:38:31.402Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22060", "state": "PUBLISHED", "dateUpdated": "2024-08-25T14:58:44.653Z", "dateReserved": "2024-01-05T01:04:06.643Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-05-31T17:38:31.402Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ivanti:neurons_for_itsm:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9EDA427-1086-4F4B-ADDC-DB67810758A3", "versionEndExcluding": "2023.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server."}, {"lang": "es", "value": "Una vulnerabilidad de carga de archivos sin restricciones en el componente web de Ivanti Neurons para ITSM permite a un usuario remoto, autenticado y con altos privilegios escribir archivos arbitrarios en directorios confidenciales del servidor ITSM."}], "id": "CVE-2024-22060", "lastModified": "2025-06-30T18:28:16.107", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "support@hackerone.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-31T18:15:10.660", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}