Lucene search

CERT-PLCVELIST:CVE-2024-4836

HistoryJul 02, 2024 - 8:44 a.m.

CVE-2024-4836 LFI in sites managed by Edito CMS

2024-07-0208:44:05

CWE-552

CERT-PL

www.cve.org

cve-2024-4836

lfi

edito cms

web services

sensitive data

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.8%

JSON

Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user.
The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Edito CMS",
    "vendor": "Edito",
    "versions": [
      {
        "changes": [
          {
            "at": "patch 10.01.2014",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.25",
        "status": "affected",
        "version": "3.5",
        "versionType": "semver"
      }
    ]
  }
]

References

cert.pl/en/posts/2024/07/CVE-2024-4836

cert.pl/posts/2024/07/CVE-2024-4836

www.edito.pl/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for CVELIST:CVE-2024-4836