Lucene search

NCSC.chVULNRICHMENT:CVE-2024-24551

HistoryJun 24, 2024 - 7:08 a.m.

CVE-2024-24551 Bludit - Remote Code Execution (RCE) through Image API

2024-06-2407:08:22

CWE-502

CWE-434

CWE-77

NCSC.ch

github.com

bludit

remote code execution

image api

security vulnerability

arbitrary code execution

file uploads

php files

CVSS4

8.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

AI Score

7.9

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:bludit:bludit:3.9.0:*:*:*:*:*:*:*"
    ],
    "vendor": "bludit",
    "product": "bludit",
    "versions": [
      {
        "status": "affected",
        "version": "3.9.0",
        "versionType": "custom",
        "lessThanOrEqual": "3.15.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

CVSS4

8.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

AI Score

7.9

Confidence

Low

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-24551