CVE-2024-37879

Name of the Vulnerable Software and Affected Versions User-friendly SVN (USVN) versions prior to 1.0.12

Description The issue is related to improper input validation in the /admin/config/save endpoint, allowing administrators to execute arbitrary code via the fields siteTitle, siteIco, and siteLogo. This can be exploited by a local attacker to manipulate these fields.

Recommendations For versions prior to 1.0.12, update to version 1.0.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin/config/save endpoint until a patch is available. Avoid using the fields siteTitle, siteIco, and siteLogo in the affected endpoint until the issue is resolved.