CVE-2024-52381
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART allows PHP Local File Inclusion. This issue affects ZIJ KART from an unspecified version through version 1.1.
Impact
This vulnerability allows an attacker to include local files on the target system, potentially leading to unauthorized access to sensitive information, code execution, or system compromise. The impact is severe, with high potential for breaches in confidentiality, integrity, and availability of the affected system. Given the CVSS base score of 8.1 (High severity), this vulnerability poses a significant risk and should be prioritized for patching.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the reporting date (November 14, 2024), there is no information provided about an available patch. The vulnerability affects ZIJ KART up to version 1.1, suggesting that users should look for updates beyond this version or wait for an official patch announcement from the vendor.
Mitigation
While waiting for an official patch, consider the following mitigation strategies: 1. Implement strict input validation and sanitization for all user-supplied input, especially those used in file inclusion operations. 2. Use whitelisting approaches to restrict the files that can be included. 3. Disable PHP's allow_url_include if it's not necessary for the application's functionality. 4. Implement proper access controls and file permissions to limit the potential impact of successful exploitation. 5. Monitor for suspicious activities or unauthorized file accesses. 6. If possible, consider temporarily disabling or isolating the affected ZIJ KART instances until a patch is available.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-52381
A CVSS base score of 8.1 has been assigned.
Feedly found the first article mentioning CVE-2024-52381. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 10.2%)