Cyber Resilience

CVE-2024-24724

CriticalPublic PoC

Published: 03 April 2024

Published
03 April 2024
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4499 97.7th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24724 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Gibbonedu Gibbon. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Gibbon versions through 26.0.00 contain a server-side template injection vulnerability in /modules/School Admin/messengerSettings.php. Untrusted input reaches the Twig template engine without sanitization, allowing an attacker to inject template directives that execute arbitrary code on the server. The flaw is tracked as CWE-1336 and carries a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can submit a malicious payload directly to the affected endpoint and obtain full remote code execution, including the ability to read, modify, or delete data and to pivot within the hosting environment. No credentials or user interaction are required.

The Gibbon project site provides updated releases that address the issue; administrators should upgrade and verify that the messengerSettings.php endpoint no longer processes unsanitized input. The EPSS score of 0.45 indicates substantial real-world exploitation interest since disclosure.

EU & UK References

Vulnerability details

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gibbonedu
gibbon
≤ 26.0.00

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References