Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
For experts
Publications
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in CRUDDIY software
24 June 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-4748
Publication date 24 June 2024
Vendor CRUDDIY
Product CRUDDIY
Vulnerable versions All through 202312.1
Vulnerability type (CWE) Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Report source Own research

Description

During its own research, CERT Polska has found a vulnerability in CRUDDIY open-source project and participated in coordination of its disclosure.

The CRUDDIY software is vulnerable to shell command injection via sending a crafted POST request to the application server. The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.

The vulnerability has been assigned CVE-2024-4748. It was not addressed by the authors as an important issue and the project has not received a patch fixing it. The last tested release was 202312.1, but newer ones are believed to be vulnerable as well.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.