CVE-2024-34314
Published: 07 May 2024
Summary
CVE-2024-34314 is a medium-severity PHP Remote File Inclusion (CWE-98) vulnerability in Cmseasy Cmseasy. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34723
Vulnerability details
CmsEasy v7.7.7.9 was discovered to contain a local file inclusion vunerability via the file_get_contents function in the fetch_action method of /admin/template_admin.php. This vulnerability allows attackers to read arbitrary files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in the CMS web application enables exploitation of a public-facing application (T1190) to perform arbitrary local file reads, facilitating collection of data from the local system (T1005) and access to credentials stored in files (T1552.001).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.