Lucene search

NCSC.chVULNRICHMENT:CVE-2024-24550

HistoryJun 24, 2024 - 7:05 a.m.

CVE-2024-24550 Bludit - Remote Code Execution (RCE) through File API

2024-06-2407:05:50

CWE-77

CWE-434

CWE-502

NCSC.ch

github.com

bludit

remote code execution

api token

file uploads

arbitrary code execution

8.9 High

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

8 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.

CNA Affected

[
  {
    "repo": "https://github.com/bludit/bludit/",
    "vendor": "Bludit",
    "product": "Bludit",
    "versions": [
      {
        "status": "affected",
        "version": "3.14.0"
      }
    ],
    "platforms": [
      "Linux",
      "Windows",
      "MacOS"
    ],
    "packageName": "Bludit",
    "programFiles": [
      "bl-plugins/api/plugin.php"
    ],
    "collectionURL": "https://www.bludit.com/",
    "defaultStatus": "unaffected"
  }
]

References

www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

8.9 High

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

8 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VULNRICHMENT:CVE-2024-24550