PT-2025-5612 · Dumpdrop · Dumpdrop
L8Bl
·
Published
2025-02-04
·
Updated
2025-02-05
·
CVE-2025-24971
CVSS v4.0
9.5
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
DumpDrop (affected versions not specified)
Description
The issue is related to an OS Command Injection vulnerability in the DumpDrop application, specifically in the "/upload/init" endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the Apprise Notification is enabled. There are no known workarounds for this issue.
Recommendations
As a temporary workaround, consider disabling the Apprise Notification feature until a patch is available.
Restrict access to the "/upload/init" endpoint to minimize the risk of exploitation.
Patch the vulnerability by applying the commit 4ff8469d.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dumpdrop