Backend Deserialization Flaw in EyouCMS
CVE-2024-3431

8.8HIGH

Key Information:

Vendor

EyouCMS

Status
Eyoucms
Vendor
CVE Published:
7 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-3431?

A critical backend deserialization vulnerability has been identified in EyouCMS version 1.6.5. The issue resides in the /login.php?m=admin&c=Field&a=channel_edit endpoint, where manipulation of the channel_id parameter can lead to arbitrary code execution. Exploitation of this vulnerability can be performed remotely, potentially allowing attackers to gain unauthorized access and manipulate the application environment. This security flaw has been publicly disclosed, and the vendor has not responded to inquiries about its resolution, raising concerns over the ongoing risk to affected systems.

Affected Version(s)

EyouCMS 1.6.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3431 - Proof of Concept

References

https://vuldb.com/?id.259612
vdb-entrytechnical-description
https://vuldb.com/?ctiid.259612
signaturepermissions-required
https://vuldb.com/?submit.308208
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

v2ish1yan (VulDB User)
.