CVE-2024-24572

Name of the Vulnerable Software and Affected Versions facileManager versions 4.5.0 and earlier

Description The issue concerns a modular suite of web apps built with the sysadmin in mind. In the affected versions, the $ REQUEST global array was unsafely called inside an extract() function in admin-logs.php. Although the PHP file fm-init.php prevents arbitrary manipulation of $ SESSION via the GET/POST parameters, it does not prevent manipulation of other sensitive variables such as $search sql. An authenticated user with privileges to view site logs can manipulate the $search sql variable by appending a GET parameter search sql in the URL. This renders the checks and SQL injection prevention attempts unusable.

Recommendations For versions 4.5.0 and earlier, consider disabling the extract() function in admin-logs.php or restricting access to the $search sql variable until a patch is available. As a temporary workaround, avoid using the search sql parameter in the affected URL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.