VDB-288538 · CVE-2024-12478 · GCVE-100-288538

InvoicePlane जोपर्यंत 1.6.1 upload_file कानस विशेषाधिकार वाढीचे प्रमाण वाढले

एक दुर्बलता जी गंभीर म्हणून ओळखली गेली आहे, ती InvoicePlane जोपर्यंत 1.6.1 मध्ये सापडली आहे. संबंधित आहे फंक्शन upload_file फाइल /index.php/upload/upload_file/1/1 च्या. सॉफ्टवेअरमध्ये कानस या आर्ग्युमेंटमध्ये वापर विशेषाधिकार वाढीचे प्रमाण वाढले घडवून आणतो. CWE द्वारे समस्या जाहीर केल्यास CWE-434 येथे पोहोचता येते. ही दुर्बलता प्रकाशित झाली होती 16/12/2024. ही कमतरता CVE-2024-12478 या नावाने ओळखली जाते. हा हल्ला रिमोटली सुरू करता येऊ शकतो. तांत्रिक माहिती उपलब्ध आहे. यासाठी एक एक्स्प्लॉइट उपलब्ध आहे. शोषणाची माहिती सार्वजनिक करण्यात आली आहे आणि ते वापरले जाऊ शकते. आत्ताच्या क्षणी सुमारे USD $0-$5k असण्याची शक्यता आहे. MITRE ATT&CK प्रकल्प T1608.002 या हल्ला तंत्रज्ञानाची घोषणा करतो. याला प्रूफ-ऑफ-कॉन्सेप्ट असे घोषित करण्यात आले आहे. 0-डे म्हणून त्याची अंदाजित काळ्या बाजारातील किंमत $0-$5k एवढी होती. 1.6.2-beta-1 या आवृत्तीवर अपग्रेड केल्याने ही समस्या हाताळता येईल. नवीन आवृत्ती डाउनलोडसाठी github.com येथे तयार आहे. github.com येथे बगफिक्स डाउनलोडसाठी तयार आहे. प्रभावित घटकाचा अपग्रेड करण्याची शिफारस केली जाते. Once again VulDB remains the best source for vulnerability data.

5 बदल · 118 डेटा पॉइंट्स

शेत	तयार केली 16/12/2024 10:38 AM	अद्ययावत 1/4 16/12/2024 12:27 PM	अद्ययावत 2/4 17/12/2024 05:18 PM	अद्ययावत 3/4 17/12/2024 05:21 PM	अद्ययावत 4/4 15/10/2025 11:09 PM
software_name	InvoicePlane	InvoicePlane	InvoicePlane	InvoicePlane	InvoicePlane
software_version	<=1.6.1	<=1.6.1	<=1.6.1	<=1.6.1	<=1.6.1
software_file	/index.php/upload/upload_file/1/1	/index.php/upload/upload_file/1/1	/index.php/upload/upload_file/1/1	/index.php/upload/upload_file/1/1	/index.php/upload/upload_file/1/1
software_function	upload_file	upload_file	upload_file	upload_file	upload_file
software_argument	file	file	file	file	file
vulnerability_cwe	CWE-434 (विशेषाधिकार वाढीचे प्रमाण वाढले)	CWE-434 (विशेषाधिकार वाढीचे प्रमाण वाढले)	CWE-434 (विशेषाधिकार वाढीचे प्रमाण वाढले)	CWE-434 (विशेषाधिकार वाढीचे प्रमाण वाढले)	CWE-434 (विशेषाधिकार वाढीचे प्रमाण वाढले)
vulnerability_risk	2	2	2	2	2
cvss3_vuldb_av	N	N	N	N	N
cvss3_vuldb_ac	L	L	L	L	L
cvss3_vuldb_pr	L	L	L	L	L
cvss3_vuldb_ui	N	N	N	N	N
cvss3_vuldb_s	U	U	U	U	U
cvss3_vuldb_c	L	L	L	L	L
cvss3_vuldb_i	L	L	L	L	L
cvss3_vuldb_a	L	L	L	L	L
cvss3_vuldb_rl	O	O	O	O	O
cvss3_vuldb_rc	C	C	C	C	C
exploit_availability	1	1	1	1	1
exploit_publicity	1	1	1	1	1
countermeasure_name	अपग्रेड करा	अपग्रेड करा	अपग्रेड करा	अपग्रेड करा	अपग्रेड करा
upgrade_version	1.6.2-beta-1	1.6.2-beta-1	1.6.2-beta-1	1.6.2-beta-1	1.6.2-beta-1
countermeasure_upgrade_url	https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1	https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1	https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1	https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1	https://github.com/InvoicePlane/InvoicePlane/releases/tag/v1.6.2-beta-1
countermeasure_patch_url	https://github.com/InvoicePlane/InvoicePlane/pull/1141	https://github.com/InvoicePlane/InvoicePlane/pull/1141	https://github.com/InvoicePlane/InvoicePlane/pull/1141	https://github.com/InvoicePlane/InvoicePlane/pull/1141	https://github.com/InvoicePlane/InvoicePlane/pull/1141
source_cve	CVE-2024-12478	CVE-2024-12478	CVE-2024-12478	CVE-2024-12478	CVE-2024-12478
cna_responsible	VulDB	VulDB	VulDB	VulDB	VulDB
response_summary	The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
cvss2_vuldb_av	N	N	N	N	N
cvss2_vuldb_ac	L	L	L	L	L
cvss2_vuldb_ci	P	P	P	P	P
cvss2_vuldb_ii	P	P	P	P	P
cvss2_vuldb_ai	P	P	P	P	P
cvss2_vuldb_rc	C	C	C	C	C
cvss2_vuldb_rl	OF	OF	OF	OF	OF
cvss4_vuldb_av	N	N	N	N	N
cvss4_vuldb_ac	L	L	L	L	L
cvss4_vuldb_pr	L	L	L	L	L
cvss4_vuldb_ui	N	N	N	N	N
cvss4_vuldb_vc	L	L	L	L	L
cvss4_vuldb_vi	L	L	L	L	L
cvss4_vuldb_va	L	L	L	L	L
cvss2_vuldb_au	S	S	S	S	S
cvss2_vuldb_e	POC	POC	POC	POC	POC
cvss3_vuldb_e	P	P	P	P	P
cvss4_vuldb_at	N	N	N	N	N
cvss4_vuldb_sc	N	N	N	N	N
cvss4_vuldb_si	N	N	N	N	N
cvss4_vuldb_sa	N	N	N	N	N
cvss4_vuldb_e	P	P	P	P	P
cvss2_vuldb_basescore	6.5	6.5	6.5	6.5	6.5
cvss2_vuldb_tempscore	5.1	5.1	5.1	5.1	5.1
cvss3_vuldb_basescore	6.3	6.3	6.3	6.3	6.3
cvss3_vuldb_tempscore	5.7	5.7	5.7	5.7	5.7
cvss3_meta_basescore	6.3	6.3	6.3	7.5	7.8
cvss3_meta_tempscore	5.7	6.0	6.0	7.1	7.5
cvss4_vuldb_bscore	5.3	5.3	5.3	5.3	5.3
cvss4_vuldb_btscore	2.1	2.1	2.1	2.1	2.1
advisory_date	1734303600 (16/12/2024)	1734303600 (16/12/2024)	1734303600 (16/12/2024)	1734303600 (16/12/2024)	1734303600 (16/12/2024)
price_0day	$0-$5k	$0-$5k	$0-$5k	$0-$5k	$0-$5k
cve_nvd_summary		A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.	A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
cvss4_cna_av		N	N	N	N
cvss4_cna_ac		L	L	L	L
cvss4_cna_at		N	N	N	N
cvss4_cna_pr		L	L	L	L
cvss4_cna_ui		N	N	N	N
cvss4_cna_vc		L	L	L	L
cvss4_cna_vi		L	L	L	L
cvss4_cna_va		L	L	L	L
cvss4_cna_sc		N	N	N	N
cvss4_cna_si		N	N	N	N
cvss4_cna_sa		N	N	N	N
cvss4_cna_bscore		5.3	5.3	5.3	5.3
cvss3_cna_av		N	N	N	N
cvss3_cna_ac		L	L	L	L
cvss3_cna_pr		L	L	L	L
cvss3_cna_ui		N	N	N	N
cvss3_cna_s		U	U	U	U
cvss3_cna_c		L	L	L	L
cvss3_cna_i		L	L	L	L
cvss3_cna_a		L	L	L	L
cvss3_cna_basescore		6.3	6.3	6.3	6.3
cvss2_cna_av		N	N	N	N
cvss2_cna_ac		L	L	L	L
cvss2_cna_au		S	S	S	S
cvss2_cna_ci		P	P	P	P
cvss2_cna_ii		P	P	P	P
cvss2_cna_ai		P	P	P	P
cvss2_cna_basescore		6.5	6.5	6.5	6.5
cvss3_researcher_a			H	H	H
cvss3_researcher_av			N	N	N
cvss3_researcher_rc			C	C	C
cvss3_researcher_s			C	C	C
cvss3_researcher_i			H	H	H
company_name			Autonomous Cyber	Autonomous Cyber	Autonomous Cyber
cvss3_researcher_rl			O	O	O
company_website			https://autonomouscyberco.com	https://autonomouscyberco.com	https://autonomouscyberco.com
cvss3_researcher_ui			N	N	N
cvss3_researcher_c			H	H	H
cvss3_researcher_e			F	F	F
developer_mail			dan@***************.*	dan@***************.*	dan@***************.*
cvss3_researcher_ac			L	L	L
cvss3_researcher_pr			L	L	L
developer_name			FUZZ-E	FUZZ-E	FUZZ-E
cvss3_researcher_basescore				9.9	9.9
cvss3_nvd_s					U
cvss3_nvd_c					H
cvss3_nvd_i					H
cvss3_nvd_a					H
cvss3_nvd_basescore					8.8
cve_nvd_summaryes					Se ha detectado una vulnerabilidad en InvoicePlane hasta la versión 1.6.1. Se ha declarado como crítica. Esta vulnerabilidad afecta a la función upload_file del archivo /index.php/upload/upload_file/1/1. La manipulación del archivo de argumentos provoca una carga sin restricciones. El ataque se puede iniciar de forma remota. El exploit se ha hecho público y puede utilizarse. La actualización a la versión 1.6.2-beta-1 puede solucionar este problema. Se recomienda actualizar el componente afectado. Se contactó al proveedor con prontitud, respondió de manera muy profesional y lanzó rápidamente una versión corregida del producto afectado.
cvss3_nvd_av					N
cvss3_nvd_ac					L
cvss3_nvd_pr					L
cvss3_nvd_ui					N

◂ मागील बाजूस सिंहावलोकन पुढील ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!