CVE-2024-4836

Summary

Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.

Affected Software

VendorProductVersion RangeStatus
EditoEdito CMS3.5 <= 3.25affected

Weaknesses

  • CWE-552: CWE-552 Files or Directories Accessible to External Parties

Workarounds

It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References