CVE-2024-26291

CVSS

No CVSS.

n Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

References

Link	Resource
https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html
https://resources.avid.com/SupportFiles/attach/AvidNEXIS/AvidNEXIS_2025_5_1_ReadMe.pdf

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de lectura arbitraria de archivos no autenticados afecta al Agente al instalarse en un sistema. El parámetro filename no valida la ruta, lo que permite a los usuarios leer archivos arbitrarios. Dado que la aplicación se ejecuta con los privilegios más altos (root/NT_AUTHORITY SYSTEM) por defecto, los atacantes pueden obtener información confidencial. Este problema afecta a Avid NEXIS serie E (anterior a 2025.5.1); Avid NEXIS serie F (anterior a 2025.5.1); Avid NEXIS PRO+ (anterior a 2025.5.1); System Director Appliance (SDA+): anterior a 2025.5.1.

14 Jul 2025, 10:15

Type	Values Removed	Values Added
Summary	(en) The Application is vulnerable to an Unauthenticated Arbitrary File Read. This affects the Agent installed on Linux and Windows alike. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.	(en) An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

14 Jul 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-14 09:15

Updated : 2025-07-15 13:14

NVD link : CVE-2024-26291

Mitre link : CVE-2024-26291

CVE.ORG link : CVE-2024-26291

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

JSON object

Attach tags to CVE-2024-26291

Attach tags to `CVE-2024-26291`