Deserialization Vulnerability in HuangDou UTCMS V9
CVE-2024-9917

4.9MEDIUM

Key Information:

Vendor

Huangdou

Status
Utcms
Vendor
CVE Published:
13 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-9917?

A serious deserialization vulnerability has been identified in HuangDou UTCMS V9, specifically in the file app/modules/ut-template/admin/template_creat.php. This vulnerability arises from improper handling of user-supplied arguments, which allows an attacker to manipulate the 'content' parameter, leading to arbitrary code execution. The vulnerability can be exploited remotely, making it a critical risk for affected users. The public disclosure of the exploit increases the urgency for mitigation. Reports suggest that the vendor was informed about this issue, yet there has been no response, leaving users vulnerable. It is crucial for organizations using this product to prioritize patching and review their security measures.

Affected Version(s)

UTCMS V9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9917 - Proof of Concept

References

https://vuldb.com/?id.280245
vdb-entrytechnical-description
https://vuldb.com/?ctiid.280245
signaturepermissions-required
https://vuldb.com/?submit.418749
third-party-advisory

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

chenzijie0619 (VulDB User)
.