CVE-2024-24550
8.9
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Bludit | Bludit | 3.14.0 | affected |
Weaknesses
- CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-502: CWE-502 Deserialization of Untrusted Data
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.