CVE-2024-28187

SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8
https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm
https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8
https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm

Configurations

No configuration.

History

21 Nov 2024, 09:05

Type	Values Removed	Values Added
Summary		(es) SOY CMS es un CMS (sistema de gestión de contenidos) de código abierto que le permite crear blogs y tiendas en línea. Las versiones de SOY CMS anteriores a la 3.14.2 son afectados por una vulnerabilidad de inyección de comandos del sistema operativo dentro de la función de carga de archivos cuando un administrador accede a ella. La vulnerabilidad permite la ejecución de comandos arbitrarios del sistema operativo a través de nombres de archivos especialmente manipulados que contienen un punto y coma, lo que afecta la funcionalidad jpegoptim. Esta vulnerabilidad ha sido parcheada en la versión 3.14.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
References	~~() https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8 -~~	() https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8 -
References	~~() https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm -~~	() https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm -

11 Mar 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-11 20:15

Updated : 2024-11-21 09:05

NVD link : CVE-2024-28187

Mitre link : CVE-2024-28187

CVE.ORG link : CVE-2024-28187

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.2 /10