Resource Injection Vulnerability in SimpleMachines SMF
CVE-2024-7437

4.3MEDIUM

Key Information:

Vendor

Simplemachines

Status
Smf
Vendor
CVE Published:
3 August 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-7437?

A serious resource injection vulnerability has been identified in SimpleMachines Forum (SMF) version 2.1.4. This flaw is associated with the Delete User Handler component and specifically affects the file /index.php when a user attempts to remove alerts. The vulnerability arises from improper control of resource identifiers, which can be manipulated by an attacker. This makes it possible for a malicious individual to execute the exploit remotely, leading to unauthorized access or modification of sensitive data. With the exploit disclosed publicly, it is crucial for users and administrators of affected versions to apply necessary patches and implement security measures to mitigate risks.

Affected Version(s)

SMF 2.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-7437 - Proof of Concept

References

https://vuldb.com/?id.273522
vdb-entrytechnical-description
https://vuldb.com/?ctiid.273522
signaturepermissions-required
https://vuldb.com/?submit.380189
third-party-advisory

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

Credit

Fewwords (VulDB User)
.