CVE-2024-32491

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-32491
An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.znuny.org/en/advisories/zsa-2024-01
https://znuny.com
Configurations

No configuration.

History

No history.

Information

Published : 2024-04-29 17:15

Updated : 2024-07-03 01:56

NVD link : CVE-2024-32491

Mitre link : CVE-2024-32491

CVE.ORG link : CVE-2024-32491

JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')