Arbitrary File Upload Vulnerability in LEPTON v7.0.0
CVE-2024-24399

7.2HIGH

Key Information:

Vendor: Lepton-cms
Status: Leptoncms
Vendor: CVE Published:; 25 January 2024

What is CVE-2024-24399?

An arbitrary file upload vulnerability exists in LEPTON version 7.0.0, which enables authenticated attackers to upload malicious PHP code to the backend/languages/index.php area. Once the code is uploaded, it can be executed by the attacker, potentially leading to unauthorized access and full control over the affected system. This vulnerability underscores the importance of implementing strict input validation and access controls to safeguard against such security threats.

References

https://github.com/capture0x/leptoncms/blob/main/README.md

https://packetstormsecurity.com/files/176647/Lepton-CMS-7...

https://github.com/capture0x/leptoncms

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 25, 2024
Vulnerability Reserved
Jan 25, 2024

Lepton-cms

What is CVE-2024-24399?

References

CVSS V3.1

Timeline