CVE-2024-4836
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Edito | Edito CMS | 3.5 <= 3.25 | affected |
Weaknesses
- CWE-552: CWE-552 Files or Directories Accessible to External Parties
Workarounds
It is possible to disable access to sensitive files by using a modified configuration template provided by the vendor.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://www.edito.pl/
- https://cert.pl/en/posts/2024/07/CVE-2024-4836
- https://cert.pl/posts/2024/07/CVE-2024-4836
References
- https://www.edito.pl/
- https://cert.pl/en/posts/2024/07/CVE-2024-4836
- https://cert.pl/posts/2024/07/CVE-2024-4836
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.