CVE-2024-10749

Name of the Vulnerable Software and Affected Versions ThinkAdmin versions up to 6.1.67

Description A critical issue was found in the function script of the file /app/admin/controller/api/Plugs.php, related to deserialization weaknesses. The manipulation of the uptoken argument leads to deserialization, allowing a remote attack. The complexity of an attack is rather high, and the exploitability is difficult. The exploit has been disclosed to the public and may be used, potentially impacting the confidentiality, integrity, and availability of protected information.

Recommendations For ThinkAdmin versions up to 6.1.67, patch immediately or isolate affected systems to prevent exploitation. As a temporary workaround, consider restricting access to the /app/admin/controller/api/Plugs.php file or disabling the vulnerable function script until a patch is available. Avoid using the uptoken argument in the affected API endpoint until the issue is resolved.