Lucene search
CVE-2024-27612
Numbas editor 7.3 theme and extension editing mishandle
Show more
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Numbas < v7.3 - Remote Code Execution Exploit | 11 Mar 202400:00 | – | zdt |
 | CVE-2024-27612 | 8 Mar 202400:00 | – | vulnrichment |
 | CVE-2024-27612 | 8 Mar 202400:00 | – | cvelist |
 | CVE-2024-27612 | 8 Mar 202406:15 | – | osv |
 | Code injection | 8 Mar 202406:15 | – | prion |
 | Numbas < v7.3 - Remote Code Execution | 10 Mar 202400:00 | – | exploitdb |
 | Numbas Remote Code Execution | 11 Mar 202400:00 | – | packetstorm |
 | CVE-2024-27612 | 8 Mar 202406:15 | – | nvd |
| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| csrfmiddlewaretoken | request body | /theme/new/ | This endpoint allows for creating a new theme, which can lead to remote code execution if manipulated. | CWE-20 |
| name | request body | /theme/new/ | This endpoint allows for creating a new theme, which can lead to remote code execution if manipulated. | CWE-20 |
| csrfmiddlewaretoken | request body | /login/ | Login endpoint which can be exploited to authenticate and perform further actions. | CWE-20 |
| username | request body | /login/ | Login endpoint which can be exploited to authenticate and perform further actions. | CWE-20 |
| password | request body | /login/ | Login endpoint which can be exploited to authenticate and perform further actions. | CWE-20 |
| next | request body | /login/ | Login endpoint which can be exploited to authenticate and perform further actions. | CWE-20 |
| csrfmiddlewaretoken | request body | /themes/{themeID}/edit_source | Endpoint used to edit the source of a theme, which can be exploited to overwrite arbitrary files. | CWE-20 |
| source | request body | /themes/{themeID}/edit_source | Endpoint used to edit the source of a theme, which can be exploited to overwrite arbitrary files. | CWE-20 |
| filename | request body | /themes/{themeID}/edit_source | Endpoint used to edit the source of a theme, which can be exploited to overwrite arbitrary files. | CWE-20 |
| csrfmiddlewaretoken | request body | /themes/{themeID}/delete | Endpoint used to delete a theme, which is a part of the cleanup after exploitation. | CWE-20 |
10
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo08 Mar 2024 06:15Current
6.7Medium risk
Vulners AI Score6.7
CVSS36.2
EPSS0.00497
SSVC