CVE-2024-48581

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A File Upload vulnerability has been identified in the Best courier management system in php v.1.0. This vulnerability allows a remote attacker to execute arbitrary code via the admin_class.php component. The vulnerability is classified under CWE-94, which relates to Improper Control of Generation of Code ('Code Injection').

Impact

The impact of this vulnerability is severe. It allows remote attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The CVSS v3.1 base score is 9.8 (Critical), with the following characteristics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged This indicates that an attacker can easily exploit this vulnerability remotely without requiring any privileges or user interaction, potentially resulting in a full compromise of the system's confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information provided, there is no mention of an available patch for this vulnerability. The affected software is Best courier management system in php v.1.0.

Mitigation

While no specific patch is mentioned, the following mitigation strategies are recommended: 1. Implement strict input validation and sanitization for all file uploads in the admin_class.php component. 2. Apply the principle of least privilege to the affected component and surrounding systems. 3. Consider disabling or restricting access to the vulnerable file upload functionality until a patch is available. 4. Monitor for any suspicious activities or unauthorized code execution attempts. 5. Keep the Best courier management system and all associated components up to date with the latest security patches when they become available. 6. Implement additional security layers such as Web Application Firewalls (WAF) to help detect and prevent code injection attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48581

Oct 25, 2024 at 4:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48581. See article

Oct 25, 2024 at 4:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 4:24 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 25, 2024 at 8:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 26, 2024 at 9:53 AM
Static CVE Timeline Graph

Affected Systems

Mayuri_k/best_courier_management_system
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

CVE-2024-48581
Critical Severity Description File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. Read more at https://www.tenable.com/cve/CVE-2024-48581
NA - CVE-2024-48581 - File Upload vulnerability in Best courier...
File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component.
CVE-2024-48581 | SourceCodester Best Courier Management System 1.0 admin_class.php unrestricted upload
A vulnerability, which was classified as critical , has been found in SourceCodester Best Courier Management System 1.0 . Affected by this issue is some unknown functionality of the file admin_class.php . The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2024-48581 . The attack may be launched remotely. There is no exploit available.
CVE-2024-48581
File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php...
CVE-2024-48581 - Best Courier Management System PHP File Upload Code Execution
CVE ID : CVE-2024-48581 Published : Oct. 25, 2024, 4:15 p.m. 19 minutes ago Description : File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI