Local File System Validation Bypass Vulnerability in CraftCMS by Craft
CVE-2024-52291

7.2HIGH

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 13 November 2024

What is CVE-2024-52291?

A vulnerability exists in CraftCMS that allows an attacker to bypass local file system validation through a crafted double file:// scheme. This exploitation could enable the attacker to define sensitive directories as the file system, resulting in malicious uploads that may overwrite files or grant unauthorized access to sensitive data. Furthermore, under certain conditions, this vulnerability could facilitate remote code execution via Server-Side Template Injection payloads, provided the attacker has an authenticated administrator account with allowAdminChanges enabled. This issue has been addressed in CraftCMS versions 5.4.6 and 4.12.5.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2024

JSON

Craftcms

What is CVE-2024-52291?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.