Uniguest’s Tripleplay, a popular AV integration solution used across various sectors, has been found to harbor multiple critical vulnerabilities. These flaws, discovered by security researcher Alwin Warringa, expose Tripleplay systems to remote code execution, SQL injection, and cross-site scripting (XSS) attacks.
Tripleplay, designed to deliver media content across networks, is utilized in sectors like sports, venues, enterprises, banking, and government. The vulnerabilities affect all Tripleplay releases prior to version 24.2.1, leaving a vast number of systems potentially at risk.
One of the most severe vulnerabilities (CVE-2024-50704, CVSS 10) allows unauthenticated remote code execution via a specially crafted HTTP POST request. An attacker could exploit this flaw to “execute arbitrary commands on the server” without needing prior authentication.
Another critical flaw (CVE-2024-50706, CVSS 10) is an unauthenticated SQL injection vulnerability. This vulnerability enables attackers to “execute arbitrary SQL queries on the backend database,” potentially granting them access to sensitive data.
Additionally, a reflected cross-site scripting (XSS) vulnerability (CVE-2024-50705) has been identified. This flaw allows attackers to inject malicious scripts into web pages viewed by Tripleplay users, potentially compromising their accounts or stealing data.
The final vulnerability, CVE-2024-50707 (CVSS 10), resides in how Tripleplay handles the X-Forwarded-For header in HTTP GET requests. Attackers can inject a malicious payload into this header, enabling remote command execution on the server. “This issue stems from improper input validation and insufficient sanitization of user-supplied header data,” making it a severe security risk
Uniguest has addressed these vulnerabilities in Tripleplay versions 24.2.1 and 24.1.2, and patches are also available for earlier versions. However, remediation requires “package installation by a trained Uniguest Support Engineer or Technical Services Engineer.”
Uniguest urges users to update to the latest versions or apply the necessary patches immediately. Users can contact their technical account representative or email support@tripleplay.tv to arrange an upgrade.
Organizations using Tripleplay are strongly advised to take immediate action to secure their systems.
