logo_clicknbuy.png

CVE-2024-26291 – Avid NEXIS Unauthenticated Arbitrary File Read Vulnerability

The following table lists the changes that have been made to the
CVE-2024-26291 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • CVE Modified
    by a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

    Jul. 14, 2025

    Action Type Old Value New Value
    Changed Description The Application is vulnerable to an Unauthenticated Arbitrary File Read. This affects the
    Agent installed on Linux and Windows alike. The parameter filename does not validate the
    path thus allowing users to read arbitrary files. As
    the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM)
    by default attackers are able to obtain sensitive information.

    This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.

    		 An Unauthenticated Arbitrary File Read vulnerability affects the
    Agent when installed on a system. The parameter filename does not validate the
    path thus allowing users to read arbitrary files. As
    the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM)
    by default attackers are able to obtain sensitive information.

    This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
  • New CVE Received
    by a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

    Jul. 14, 2025

    Action Type Old Value New Value
    Added Description The Application is vulnerable to an Unauthenticated Arbitrary File Read. This affects the
    Agent installed on Linux and Windows alike. The parameter filename does not validate the
    path thus allowing users to read arbitrary files. As
    the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM)
    by default attackers are able to obtain sensitive information.

    This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-285
    Added Reference https://raeph123.github.io/BlogPosts/Avid_Nexis/Advisory_Avid_Nexus_Agent_Multiple_Vulnerabilities_en.html
    Added Reference https://resources.avid.com/SupportFiles/attach/AvidNEXIS/AvidNEXIS_2025_5_1_ReadMe.pdf
Share the Post:

Related Posts