CVE-2024-52428

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 8.1EPSS 0.04%High
CVE info copied to clipboard

Summary

An Improper Control of Filename for Include/Require Statement vulnerability, also known as PHP Remote File Inclusion, has been identified in Scripteo Ads Booster by Ads Pro. This vulnerability allows for PHP Local File Inclusion. The affected versions of Ads Booster by Ads Pro range from an unspecified version up to and including version 1.12.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.1. The impact is significant across all three main security aspects: 1. Confidentiality: High impact, potentially allowing unauthorized access to sensitive information. 2. Integrity: High impact, possibly enabling attackers to modify or inject malicious code. 3. Availability: High impact, potentially leading to system disruptions or denial of service. The attack vector is network-based, requires no user interaction, and can be executed without any privileges. However, the attack complexity is considered high, which might slightly reduce the immediacy of the threat.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the vulnerability publication date (November 18, 2024), there is no specific information provided about an available patch. Given that the vulnerability affects Ads Booster by Ads Pro up to version 1.12, it's possible that a patch may be released in a version newer than 1.12, but this is not confirmed in the provided data.

Mitigation

While no specific mitigation strategies are provided in the vulnerability data, general recommendations for PHP Remote File Inclusion vulnerabilities typically include: 1. Update the affected software to the latest version as soon as a patch becomes available. 2. Implement strong input validation and sanitization for all user-supplied input, especially those used in include or require statements. 3. Use whitelisting for allowed file inclusions rather than blacklisting. 4. Disable the ability to include remote files in PHP configuration if this feature is not necessary for the application. 5. Implement proper access controls and file permissions to prevent unauthorized file access. 6. Consider using Web Application Firewalls (WAF) to detect and block potential file inclusion attempts. 7. Regularly audit and review code for potential vulnerabilities, particularly focusing on file inclusion mechanisms.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-52428

Nov 18, 2024 at 3:15 PM
CVSS

A CVSS base score of 8.1 has been assigned.

Nov 18, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52428. See article

Nov 18, 2024 at 3:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 18, 2024 at 3:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.2%)

Nov 19, 2024 at 9:42 AM
Static CVE Timeline Graph

Affected Systems

Php/php
+null more

Attack Patterns

CAPEC-193: PHP Remote File Inclusion
+null more

News

NA - CVE-2024-52428 - Improper Control of Filename for...
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Scripteo Ads Booster by Ads Pro allows PHP Local File...
CVE-2024-52428 - Scripteo Ads Pro PHP Local File Inclusion Vulnerability November 18, 2024 at 03:15PM https:// ift.tt/4eCLi87 # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
CVE-2024-52428 | Ads Pro Scripteo Ads Booster Plugin up to 1.12 on WordPress filename control
A vulnerability was found in Ads Pro Scripteo Ads Booster Plugin up to 1.12 on WordPress. It has been classified as problematic . Affected is an unknown function. The manipulation leads to improper control of filename for include/require statement in php program ('php remote file inclusion'). This vulnerability is traded as CVE-2024-52428 . It is possible to launch the attack remotely. There is no exploit available.
CVE-2024-52428 - Scripteo Ads Pro PHP Local File Inclusion Vulnerability
CVE ID : CVE-2024-52428 Published : Nov. 18, 2024, 3:15 p.m. 51 minutes ago Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Scripteo Ads Booster by Ads Pro allows PHP Local File Inclusion.This issue affects Ads Booster by Ads Pro: from n/a through 1.12. Severity: 8.1
CVE-2024-52428
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Scripteo Ads Booster by Ads Pro allows PHP Local File Inclusion.This issue affects Ads Booster by Ads Pro: from n/a through...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI