CVE-2024-42640

{"id": "CVE-2024-42640", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-11T16:15:08.040", "references": [{"url": "https://github.com/adonespitogo/angular-base64-upload", "source": "cve@mitre.org"}, {"url": "https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Las versiones angular-base64-upload anteriores a v0.1.21 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo no autenticado a trav\u00e9s de demo/server.php. Aprovechar esta vulnerabilidad permite a un atacante cargar contenido arbitrario al servidor, al que posteriormente se puede acceder a trav\u00e9s de demo/uploads. Esto lleva a la ejecuci\u00f3n de contenido cargado previamente y permite al atacante ejecutar c\u00f3digo en el servidor. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante."}], "lastModified": "2024-10-15T17:35:04.623", "sourceIdentifier": "cve@mitre.org"}