THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-24550

Bludit - Remote Code Execution (RCE) through File API

Assigner:NCSC.ch
Reserved:2024-01-25
Published:2024-06-24
Updated:2024-06-24

Description

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.



HIGH: 8.9CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-502 Deserialization of Untrusted Data

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

3.14.0
affected

Credits

Andreas Pfefferle, Redguard AG finder

References

https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

cve.org CVE-2024-24550

nvd.nist.gov CVE-2024-24550

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-24550
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit