FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-7551

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Aug 6, 2024 / Updated: 3mo ago

010
CVSS 5.1EPSS 0.2%Medium
CVE info copied to clipboard

Summary

A path traversal vulnerability has been discovered in juzaweb CMS versions up to 3.4.2. The vulnerability affects an unknown function in the Theme Editor component, specifically in the file /admin-cp/theme/editor/default. This issue allows for manipulation that can lead to path traversal attacks.

Impact

The vulnerability has a CVSS v3.1 base score of 4.9 (Medium severity) and a CVSS v4.0 base score of 5.1 (Medium severity). The main impact is on confidentiality, with a potential for unauthorized access to sensitive information. The attack vector is network-based, allowing for remote exploitation. However, it requires high privileges to execute, which somewhat limits its potential impact. There is no direct impact on system integrity or availability.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch for this vulnerability is not explicitly mentioned in the provided information. However, since the vulnerability affects juzaweb CMS versions up to 3.4.2, it is likely that upgrading to a version newer than 3.4.2 (if available) would address this issue. The security team should check for the latest version of juzaweb CMS and consider upgrading as part of their remediation strategy.

Mitigation

1. Upgrade juzaweb CMS to a version newer than 3.4.2 if available. 2. Implement strong access controls to limit access to the Theme Editor component, especially for users with high privileges. 3. Use input validation and sanitization techniques to prevent path traversal attempts. 4. Consider implementing a Web Application Firewall (WAF) to detect and block path traversal attacks. 5. Regularly audit and monitor access to sensitive files and directories. 6. Apply the principle of least privilege to minimize the risk associated with compromised high-privilege accounts.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7551. See article

Aug 6, 2024 at 12:39 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 6, 2024 at 12:40 PM
CVE Assignment

NVD published the first details for CVE-2024-7551

Aug 6, 2024 at 1:15 PM
CVSS

A CVSS base score of 2.7 has been assigned.

Aug 6, 2024 at 1:20 PM / nvd
CVSS

A CVSS base score of 4.9 has been assigned.

Aug 12, 2024 at 4:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Aug 12, 2024 at 7:10 PM
CVSS

A CVSS base score of 4.9 has been assigned.

Oct 28, 2024 at 9:12 PM / nvd
Static CVE Timeline Graph

Affected Systems

Juzaweb/cms
+null more

Exploits

https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

Update Wed Oct 9 06:48:57 UTC 2024
Recent Commits to cve:main / 41d
Update Wed Oct 9 06:48:57 UTC 2024
CVE-2024-7551 Exploit
inTheWild.io Exploits / 3mo
CVE Id : CVE-2024-7551 Published Date: 2024-08-12T16:12:00+00:00 A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as problematic. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor. The manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273696. NOTE:
CVE-2024-7551
INCIBE-CERT - Vulnerabilities RSS / 3mo
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability was found in juzaweb CMS up to 3.4.2.
NA - CVE-2024-7551 - A vulnerability was found in juzaweb CMS up to...
Security-Database Alerts Monitor : Last 100 Alerts / 3mo
A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as problematic. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme...
CVE-2024-7551 - Juzaweb CMS Theme Editor Remote Path Traversal Vulnerability
Latest Vulnerabilities / 3mo
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics. The identifier of this vulnerability is VDB-273696.
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

CVSS 4.9(21798)CWE-22(6658)Juzaweb(4)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial