Home > Vulnerability Database > CVE-2024-38529

Mend.io Vulnerability Database

CVE-2024-38529

Good to know:

Date: July 29, 2024

Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.

Language: PHP

Severity Score

9.0

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-38529

Url: https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm

Url: https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c

Url: https://github.com/Admidio/admidio

Url: https://www.mend.io/vulnerability-database/CVE-2024-38529

Severity Score

9.0

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version admidio/admidio-v4.3.10

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-38529

Good to know:

Date: July 29, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?