CVE-2024-3311

EPSS 1.02%
Veröffentlicht 04.04.2024 21:15:16
Zuletzt bearbeitet 21.11.2024 09:29:22
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

Dreamer CMS ThemesController.java ZipUtils.unZipFiles path traversal

A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259369 was assigned to this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

CNA 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerdreamer_cms_project

≫

Produkt dreamer_cms

Default Statusunknown

Version 4.1.0

Status affected

Herstellerdreamer_cms_project

≫

Produkt dreamer_cms

Default Statusunknown

Version 4.1.1

Status affected

Herstellerdreamer_cms_project

≫

Produkt dreamer_cms

Default Statusunknown

Version 4.1.2

Status affected

Herstellerdreamer_cms_project

≫

Produkt dreamer_cms

Default Statusunknown

Version 4.1.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.02%	0.587

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@vuldb.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://gitee.com/iteachyou/dreamer_cms/releases/tag/Latest_Stable_Release_4.1.3.1

https://gitee.com/y1336247431/poc-public/issues/I9BA5R

https://vuldb.com/?ctiid.259369

https://vuldb.com/?id.259369

https://vuldb.com/?submit.303874

https://nvd.nist.gov/vuln/detail/CVE-2024-3311

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3311

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3311

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3311