CVE-2024-9981

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

The ee-class from FormosaSoft contains a vulnerability where it does not properly validate a specific page parameter. This allows remote attackers with regular privileges to upload a malicious PHP file and then exploit the vulnerability to include the file, resulting in arbitrary code execution on the server.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.8. It allows attackers to execute arbitrary code on the server, potentially leading to complete system compromise. The impact on confidentiality, integrity, and availability is high. Attackers can potentially access sensitive information, modify or delete data, and disrupt server operations. The attack vector is network-based, requires low attack complexity, and does not need user interaction, making it relatively easy to exploit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the vulnerability publication date (October 15, 2024), there is no specific information provided about an available patch. The security team should monitor FormosaSoft's official channels for any security updates or patches related to the ee-class component.

Mitigation

While waiting for an official patch, the security team should consider the following mitigation strategies: 1. Implement strict input validation for all parameters, especially the page parameter mentioned in the vulnerability. 2. Use web application firewalls (WAF) to filter out malicious requests. 3. Limit file upload capabilities and implement strong file type checks. 4. Restrict server permissions to minimize the impact of potential code execution. 5. Monitor for any unusual activities or file operations on the server. 6. If possible, consider temporarily disabling the vulnerable feature until a patch is available. 7. Keep the ee-class and all other server components up to date with the latest security patches. Given the high severity score and the potential for remote code execution, addressing this vulnerability should be considered a high priority for the security team.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9981

Oct 15, 2024 at 8:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 15, 2024 at 8:15 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9981. See article

Oct 15, 2024 at 8:18 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 8:18 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 16, 2024 at 9:58 AM
Static CVE Timeline Graph

Affected Systems

Formosasoft/ee-class
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-193: PHP Remote File Inclusion
+null more

News

Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
US-CERT Vulnerability Summary for the Week of October 14, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Security Bulletin 16 Oct 2024 - Cyber Security Agency of Singapore
https:// nvd . nist .gov/vuln/detail/ CVE -2024-9985. CVE -2024-47875, DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML ...
NA - CVE-2024-9981 - The ee-class from FormosaSoft does not properly...
The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to upload a malicious PHP file first and then exploit this...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI