CVE-2024-7742

A vulnerability was found in wanglongcn ltcms 1.0.20. It has been classified as critical. Affected is the function multiDownload of the file /api/file/multiDownload of the component API Endpoint. The manipulation of the argument file leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
Link Resource
https://github.com/DeepMountains/Mirage/blob/main/CVE14-3.md Exploit Third Party Advisory
https://vuldb.com/?ctiid.274362 Permissions Required Third Party Advisory
https://vuldb.com/?id.274362 Permissions Required Third Party Advisory
https://vuldb.com/?submit.386434 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:ltcms:ltcms:1.0.20:*:*:*:*:*:*:*

History

21 Aug 2024, 19:08

Type Values Removed Values Added
References () https://github.com/DeepMountains/Mirage/blob/main/CVE14-3.md - () https://github.com/DeepMountains/Mirage/blob/main/CVE14-3.md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.274362 - () https://vuldb.com/?ctiid.274362 - Permissions Required, Third Party Advisory
References () https://vuldb.com/?id.274362 - () https://vuldb.com/?id.274362 - Permissions Required, Third Party Advisory
References () https://vuldb.com/?submit.386434 - () https://vuldb.com/?submit.386434 - Third Party Advisory
CPE cpe:2.3:a:ltcms:ltcms:1.0.20:*:*:*:*:*:*:*
Summary
  • (es) Se encontró una vulnerabilidad en wanglongcn ltcms 1.0.20. Ha sido clasificada como crítica. La función multiDownload del archivo /api/file/multiDownload del componente API Endpoint es afectada por esta vulnerabilidad. La manipulación del archivo de argumentos conduce a server-side request forgery. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. NOTA: Se contactó primeramente con el proveedor sobre esta divulgación, pero no respondió de ninguna manera.
First Time Ltcms
Ltcms ltcms
CVSS v2 : 7.5
v3 : 7.3
v2 : 7.5
v3 : 9.8

13 Aug 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-13 21:15

Updated : 2024-08-21 19:08


NVD link : CVE-2024-7742

Mitre link : CVE-2024-7742

CVE.ORG link : CVE-2024-7742


JSON object : View

Products Affected

ltcms

  • ltcms
CWE
CWE-918

Server-Side Request Forgery (SSRF)