Upload of Dangerous File Type vulnerability in CSV to HTML allows Web Shell Upload to Web Server
CVE-2024-52406

9.9CRITICAL

Key Information:

Vendor: WordPress
Status: Csv To Html
Vendor: CVE Published:; 16 November 2024

Summary

The vulnerability allows for unrestricted upload of files with potentially dangerous types within the Wibergs Web CSV to HTML product. This flaw permits the upload of web shell scripts to web servers, which can be utilized by malicious actors to execute arbitrary commands. Affected versions include all prior to 3.04. Securing input handling and implementing file type validation are essential to mitigate the risks associated with this vulnerability.

Affected Version(s)

CSV to html <= 3.04

References

https://patchstack.com/database/vulnerability/csv-to-html...

vdb-entry

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Nov 11, 2024

Credit

stealthcopter (Patchstack Alliance)