PatchSiren cyber security CVE debrief
CVE-2024-42493 Dorsett Controls CVE debrief
CVE-2024-42493 is a medium-severity information disclosure vulnerability affecting Dorsett Controls InfoScan versions 1.32, 1.33, and 1.35. The vulnerability was disclosed on August 8, 2024, via CISA's Industrial Control Systems (ICS) advisory program (ICSA-24-221-01). The issue stems from sensitive information leakage through HTTP response headers and rendered JavaScript content that is accessible prior to user authentication, potentially exposing system details to unauthenticated network attackers. The CVSS 3.1 score of 5.3 reflects network accessibility with low attack complexity and no required privileges or user interaction. This vulnerability is particularly relevant to operational technology (OT) environments where InfoScan is deployed for industrial control system monitoring. The vendor has released version 1.38 to address this issue, which administrators can deploy through the system's built-in maintenance interface or via offline update packages from the vendor's customer portal.
- Vendor
- Dorsett Controls
- Product
- InfoScan
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-08-08
- Original CVE updated
- 2024-08-08
- Advisory published
- 2024-08-08
- Advisory updated
- 2024-08-08
Who should care
Organizations operating Dorsett Controls InfoScan in industrial control system environments, particularly those with externally accessible or poorly segmented network deployments. Security teams responsible for OT/ICS asset management and vulnerability remediation programs.
Technical summary
The vulnerability exists in the InfoScan web application's handling of unauthenticated requests. Prior to user login, the system returns HTTP response headers and renders JavaScript that contains potentially sensitive information about the system configuration, version details, or internal architecture. This information leakage occurs without requiring authentication, allowing any network-accessible attacker to gather intelligence that could facilitate further targeted attacks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates network-based exploitation with low complexity, no privileges required, and confidentiality impact limited to low severity. The fix in version 1.38 presumably sanitizes or restricts the information exposed in pre-authentication responses.
Defensive priority
medium
Recommended defensive actions
- Upgrade to Dorsett Controls InfoScan version 1.38 or later through the System Prefs > Maintenance interface
- If internet access is unavailable, download the update from the Dorsett Controls Customer Portal and follow the provided installation instructions
- Review HTTP response headers and JavaScript source for exposed sensitive data in pre-authentication contexts
- Implement network segmentation to limit InfoScan system exposure to untrusted networks
- Apply CISA ICS recommended practices for defense-in-depth security architecture
Evidence notes
Vulnerability confirmed through CISA CSAF advisory ICSA-24-221-01 with vendor acknowledgment. Affected product versions explicitly listed as 1.32, 1.33, and 1.35. Vendor fix version 1.38 confirmed in remediation instructions.
Official resources
-
CVE-2024-42493 CVE record
CVE.org
-
CVE-2024-42493 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-08