CVE-2024-49380

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Plenti versions prior to 0.7.2

Description The issue is related to an arbitrary file write vulnerability. The /postLocal endpoint is vulnerable, which may lead to Remote Code Execution when a Plenti user serves their website.

Recommendations For versions prior to 0.7.2, update to version 0.7.2 to fix the vulnerability. As a temporary workaround, consider restricting access to the /postLocal endpoint until the update is applied.

Exploit

Fix

RCE

Special Elements Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-78

Related Identifiers

CVE-2024-49380

GHSA-2P96-P7QH-4RGR

GO-2024-3213

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14447-1

OPENSUSE-SU-2024_3911-1

SUSE-SU-2024:3911-1

Affected Products

Plenti

Suse

CVE-2024-49380

Weakness Enumeration

Related Identifiers

Affected Products

References · 73