Code Injection Vulnerability in Wuzhicms Affects Multiple Functions
CVE-2024-10505

7.2HIGH

Key Information:

Vendor
wuzhicms
Status
Wuzhicms
Vendor
CVE Published:
30 October 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A critical vulnerability exists in Wuzhicms version 4.1.0, affecting the functionality of adding and editing features in the admin interface, specifically within the file www/coreframe/app/content/admin/block.php. This vulnerability allows an attacker to inject malicious code remotely, which may lead to unauthorized command execution and further compromise the server. Despite initial disclosures to the vendor, no response has been received, raising concerns about the timely mitigation of this threat. As the vulnerability is publicly disclosed, immediate action should be taken to secure systems running this version of Wuzhicms.

Affected Version(s)

wuzhicms 4.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10505 - Proof of Concept

References

https://vuldb.com/?id.282444
vdb-entrytechnical-description
https://vuldb.com/?ctiid.282444
signaturepermissions-required
https://vuldb.com/?submit.427401
third-party-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LVZC (VulDB User)
.