CVE-2024-52004

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Nov 8, 2024 / Updated: 11d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

MediaCMS, an open source video and media CMS written in Python/Django and React, is vulnerable to remote code execution in versions prior to v4.1.0. The vulnerability stems from insufficient input validation during media content upload. This issue affects installations where users are allowed to upload content.

Impact

If exploited, this vulnerability could lead to remote code execution, potentially allowing an attacker to execute arbitrary code on the affected system. This could result in unauthorized access, data theft, system compromise, or further exploitation of the network. Given the high ratings for vulnerable system confidentiality, integrity, and availability, the potential impact is severe.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in MediaCMS version 4.1.0. Users are strongly advised to upgrade to this version or later to mitigate the risk.

Mitigation

1. Upgrade MediaCMS to version 4.1.0 or later immediately. 2. If immediate upgrading is not possible, consider temporarily disabling user content uploads until the patch can be applied. 3. Implement strict input validation and sanitization for all user-supplied content. 4. Monitor system logs for any suspicious activity related to content uploads. 5. Apply the principle of least privilege to MediaCMS user accounts and system services. 6. Regularly update and patch all components of the MediaCMS system, including the underlying Django and React frameworks.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-52004

Nov 8, 2024 at 11:15 PM
CVSS

A CVSS base score of 8.7 has been assigned.

Nov 8, 2024 at 11:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52004. See article

Nov 8, 2024 at 11:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 8, 2024 at 11:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 9, 2024 at 9:56 AM
Static CVE Timeline Graph

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

NA - CVE-2024-52004 - MediaCMS is an open source video and media CMS,...
MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code...
CVE-2024-52004
The vulnerabilities are related with insufficient input validation while uploading media content. The condition to exploit the vulnerability is that the portal allows users to upload content.
CVE-2024-52004 | mediacms up to 4.0.x injection (GHSA-x3p4-4442-q2c3)
A vulnerability has been found in mediacms up to 4.0.x and classified as critical . This vulnerability affects unknown code. The manipulation leads to injection. This vulnerability was named CVE-2024-52004 . The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-52004 - MediaCMS ReDoS Vulnerability
CVE ID : CVE-2024-52004 Published : Nov. 8, 2024, 11:15 p.m. 51 minutes ago Description : MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are susceptible, and users are highly recommended to upgrade. The vulnerabilities are related with insufficient input validation while uploading media content.
CVE-2024-52004
MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are susceptible, and users are highly recommended to upgrade. The vulnerabilities are related with insufficient input validation while uploading media content. The condition to exploit the vulnerability is that the portal allows users to upload content. This issue has been patched in version 4.1.0. There are no known workarounds for this...
See 2 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI