Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by flute
CVE-2024-6947 (GCVE-0-2024-6947)
Vulnerability from nvd – Published: 2024-07-21 09:00 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS Notification ContentParser.php replaceContent code injection
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability.
Severity
4.7 (Medium)
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272069 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272069 | signaturepermissions-required |
| https://vuldb.com/?submit.376785 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6947",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:59:06.857639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T15:00:10.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272069 | Flute CMS Notification ContentParser.php replaceContent code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272069"
},
{
"name": "VDB-272069 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272069"
},
{
"name": "Submit #376785 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha SSTi",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.376785"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-3.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Notification Handler"
],
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Flute CMS 0.2.2.4-alpha ausgemacht. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion replaceContent der Datei app/Core/Support/ContentParser.php der Komponente Notification Handler. Mittels Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T09:00:07.017Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272069 | Flute CMS Notification ContentParser.php replaceContent code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272069"
},
{
"name": "VDB-272069 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272069"
},
{
"name": "Submit #376785 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha SSTi",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.376785"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-3.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS Notification ContentParser.php replaceContent code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6947",
"datePublished": "2024-07-21T09:00:07.017Z",
"dateReserved": "2024-07-20T10:06:14.538Z",
"dateUpdated": "2024-08-01T21:45:38.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6946 (GCVE-0-2024-6946)
Vulnerability from nvd – Published: 2024-07-21 08:31 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS list code injection
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068.
Severity
4.7 (Medium)
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272068 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272068 | signaturepermissions-required |
| https://vuldb.com/?submit.375214 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:58:35.309010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:59:32.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272068 | Flute CMS list code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272068"
},
{
"name": "VDB-272068 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272068"
},
{
"name": "Submit #375214 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha Remote Code Execute (RCE)",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.375214"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068."
},
{
"lang": "de",
"value": "In Flute CMS 0.2.2.4-alpha wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /admin/pages/list. Mittels dem Manipulieren des Arguments blocks mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T08:31:03.888Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272068 | Flute CMS list code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272068"
},
{
"name": "VDB-272068 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272068"
},
{
"name": "Submit #375214 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha Remote Code Execute (RCE)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.375214"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-2.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS list code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6946",
"datePublished": "2024-07-21T08:31:03.888Z",
"dateReserved": "2024-07-20T10:06:09.962Z",
"dateUpdated": "2024-08-01T21:45:38.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6945 (GCVE-0-2024-6945)
Vulnerability from nvd – Published: 2024-07-21 08:00 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS Avatar Upload Page ImagesController.php unrestricted upload
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272067 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272067 | signaturepermissions-required |
| https://vuldb.com/?submit.375189 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6945",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:31:12.614428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:33:26.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272067 | Flute CMS Avatar Upload Page ImagesController.php unrestricted upload",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272067"
},
{
"name": "VDB-272067 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272067"
},
{
"name": "Submit #375189 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha File Upload",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.375189"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-1.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Avatar Upload Page"
],
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Flute CMS 0.2.2.4-alpha ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei app/Core/Http/Controllers/Profile/ImagesController.php der Komponente Avatar Upload Page. Durch Manipulation des Arguments avatar mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T08:00:06.875Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272067 | Flute CMS Avatar Upload Page ImagesController.php unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272067"
},
{
"name": "VDB-272067 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272067"
},
{
"name": "Submit #375189 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.375189"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-1.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS Avatar Upload Page ImagesController.php unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6945",
"datePublished": "2024-07-21T08:00:06.875Z",
"dateReserved": "2024-07-20T10:06:03.134Z",
"dateUpdated": "2024-08-01T21:45:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6947 (GCVE-0-2024-6947)
Vulnerability from cvelistv5 – Published: 2024-07-21 09:00 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS Notification ContentParser.php replaceContent code injection
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability.
Severity
4.7 (Medium)
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272069 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272069 | signaturepermissions-required |
| https://vuldb.com/?submit.376785 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6947",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:59:06.857639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T15:00:10.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272069 | Flute CMS Notification ContentParser.php replaceContent code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272069"
},
{
"name": "VDB-272069 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272069"
},
{
"name": "Submit #376785 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha SSTi",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.376785"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-3.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Notification Handler"
],
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Flute CMS 0.2.2.4-alpha ausgemacht. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion replaceContent der Datei app/Core/Support/ContentParser.php der Komponente Notification Handler. Mittels Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T09:00:07.017Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272069 | Flute CMS Notification ContentParser.php replaceContent code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272069"
},
{
"name": "VDB-272069 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272069"
},
{
"name": "Submit #376785 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha SSTi",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.376785"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-3.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS Notification ContentParser.php replaceContent code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6947",
"datePublished": "2024-07-21T09:00:07.017Z",
"dateReserved": "2024-07-20T10:06:14.538Z",
"dateUpdated": "2024-08-01T21:45:38.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6946 (GCVE-0-2024-6946)
Vulnerability from cvelistv5 – Published: 2024-07-21 08:31 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS list code injection
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068.
Severity
4.7 (Medium)
4.7 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272068 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272068 | signaturepermissions-required |
| https://vuldb.com/?submit.375214 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:58:35.309010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:59:32.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272068 | Flute CMS list code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272068"
},
{
"name": "VDB-272068 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272068"
},
{
"name": "Submit #375214 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha Remote Code Execute (RCE)",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.375214"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068."
},
{
"lang": "de",
"value": "In Flute CMS 0.2.2.4-alpha wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /admin/pages/list. Mittels dem Manipulieren des Arguments blocks mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T08:31:03.888Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272068 | Flute CMS list code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272068"
},
{
"name": "VDB-272068 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272068"
},
{
"name": "Submit #375214 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha Remote Code Execute (RCE)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.375214"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-2.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS list code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6946",
"datePublished": "2024-07-21T08:31:03.888Z",
"dateReserved": "2024-07-20T10:06:09.962Z",
"dateUpdated": "2024-08-01T21:45:38.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6945 (GCVE-0-2024-6945)
Vulnerability from cvelistv5 – Published: 2024-07-21 08:00 – Updated: 2024-08-01 21:45
VLAI
Title
Flute CMS Avatar Upload Page ImagesController.php unrestricted upload
Summary
A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.272067 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.272067 | signaturepermissions-required |
| https://vuldb.com/?submit.375189 | third-party-advisory |
| https://github.com/DeepMountains/Mirage/blob/main… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:flute:cms:0.2.2.4-alpha:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cms",
"vendor": "flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6945",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T16:31:12.614428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:33:26.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272067 | Flute CMS Avatar Upload Page ImagesController.php unrestricted upload",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272067"
},
{
"name": "VDB-272067 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272067"
},
{
"name": "Submit #375189 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha File Upload",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.375189"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-1.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Avatar Upload Page"
],
"product": "CMS",
"vendor": "Flute",
"versions": [
{
"status": "affected",
"version": "0.2.2.4-alpha"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dee.Mirage (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been classified as critical. This affects an unknown part of the file app/Core/Http/Controllers/Profile/ImagesController.php of the component Avatar Upload Page. The manipulation of the argument avatar leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272067."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Flute CMS 0.2.2.4-alpha ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei app/Core/Http/Controllers/Profile/ImagesController.php der Komponente Avatar Upload Page. Durch Manipulation des Arguments avatar mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T08:00:06.875Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272067 | Flute CMS Avatar Upload Page ImagesController.php unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272067"
},
{
"name": "VDB-272067 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272067"
},
{
"name": "Submit #375189 | flute-cms.com Web-based CMS for server games written on PHP v0.2.2.4-alpha File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.375189"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/DeepMountains/Mirage/blob/main/CVE5-1.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:11:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "Flute CMS Avatar Upload Page ImagesController.php unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6945",
"datePublished": "2024-07-21T08:00:06.875Z",
"dateReserved": "2024-07-20T10:06:03.134Z",
"dateUpdated": "2024-08-01T21:45:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}