CVE-2024-29800

Name of the Vulnerable Software and Affected Versions Timber versions 1.23.0 and earlier

Description The issue is related to Deserialization of Untrusted Data, which can lead to remote code execution, especially when used with frameworks or developer code that have vulnerable POP chains. This is due to a lack of checking the input before passing it into the file exists() function, allowing an attacker to upload files of any type to the server and pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects.

Recommendations For Timber versions 1.23.0 and earlier, filter the phar:// protocol to prevent exploitation. As a temporary workaround, consider restricting access to the toJpg.php file and the run function within it until a patch is available. Avoid using the phar:// protocol in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.