Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)
An Improper Control of Filename for Include/Require Statement vulnerability, also known as PHP Remote File Inclusion, has been identified in Scripteo Ads Booster by Ads Pro. This vulnerability allows for PHP Local File Inclusion. The affected versions of Ads Booster by Ads Pro range from an unspecified version up to and including version 1.12.
This vulnerability has a high severity with a CVSS v3.1 base score of 8.1. The impact is significant across all three main security aspects: 1. Confidentiality: High impact, potentially allowing unauthorized access to sensitive information. 2. Integrity: High impact, possibly enabling attackers to modify or inject malicious code. 3. Availability: High impact, potentially leading to system disruptions or denial of service. The attack vector is network-based, requires no user interaction, and can be executed without any privileges. However, the attack complexity is considered high, which might slightly reduce the immediacy of the threat.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
As of the vulnerability publication date (November 18, 2024), there is no specific information provided about an available patch. Given that the vulnerability affects Ads Booster by Ads Pro up to version 1.12, it's possible that a patch may be released in a version newer than 1.12, but this is not confirmed in the provided data.
While no specific mitigation strategies are provided in the vulnerability data, general recommendations for PHP Remote File Inclusion vulnerabilities typically include: 1. Update the affected software to the latest version as soon as a patch becomes available. 2. Implement strong input validation and sanitization for all user-supplied input, especially those used in include or require statements. 3. Use whitelisting for allowed file inclusions rather than blacklisting. 4. Disable the ability to include remote files in PHP configuration if this feature is not necessary for the application. 5. Implement proper access controls and file permissions to prevent unauthorized file access. 6. Consider using Web Application Firewalls (WAF) to detect and block potential file inclusion attempts. 7. Regularly audit and review code for potential vulnerabilities, particularly focusing on file inclusion mechanisms.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD published the first details for CVE-2024-52428
A CVSS base score of 8.1 has been assigned.
Feedly found the first article mentioning CVE-2024-52428. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 10.2%)