Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Laragon software
29 February 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-0864
Publication date 29 February 2024
Vendor Leo Khoa
Product Laragon
Vulnerable versions All
Vulnerability type (CWE) Unrestricted Upload of File with Dangerous Type (CWE-434)
Report source Own research

Description

During its own research, CERT Polska has found a vulnerability in Laragon open source project.

Enabling Simple Ajax Uploader plugin included in this software allows for a remote code execution (RCE) attack, which is feasible because file_upload.php lacks a mechanism which would validate files being uploaded. The vulnerability does not directly originate from the plugin source code, but from the example file_upload.php file using it. By default, Laragon is not vulnerable until a user decides to use the aforementioned plugin.

The vulnerability has been assigned the ID CVE-2024-0864 and possibly affects all versions of the software (including the latest 6.0.0). Due to difficulties in reaching out to the vendor it is unknown when (and if) the patch will be released.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.