Unrestricted File Upload Vulnerability in Beijing Baichuo Smart S42 Management Platform
CVE-2024-1918

9.8CRITICAL

Key Information:

Vendor

Byzoro

Status
Smart S42 Management Platform
Vendor
CVE Published:
27 February 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-1918?

A vulnerability exists in the Byzoro Smart S42 Management Platform due to an issue in the userattestation.php file that permits unrestricted file uploads. This flaw arises from improper validation of the 'hidwel' argument, which can be exploited without authentication from remote locations. The ramifications of this vulnerability could lead to unauthorized access and potential exploitation, as the details have already been disclosed publicly. The vendor had been notified about the issue, yet no response was received regarding appropriate remediation or guidance.

Affected Version(s)

Smart S42 Management Platform 20240219

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1918 - Proof of Concept

References

https://vuldb.com/?id.254839
vdb-entrytechnical-description
https://vuldb.com/?ctiid.254839
signaturepermissions-required
https://vuldb.com/?submit.284382
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ting (VulDB User)
.