CVE-2024-38529
Published: 29 July 2024
Summary
CVE-2024-38529 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Admidio Admidio. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Admidio is a free open-source user management system for organizations and groups. CVE-2024-38529 is an unrestricted file upload vulnerability (CWE-434) in the Message module of versions prior to 4.3.10. The flaw allows an authenticated user to upload a PHP file as a message attachment without any server-side extension validation; the file is then stored under the publicly reachable path adm_my_files/messages_attachments/ and can be executed by requesting its URL.
An attacker with a low-privileged account can therefore upload a web shell, achieve remote code execution on the server, and obtain full control over the application and its data. The CVSS 9.0 vector reflects network attack reachability, low complexity, required user interaction for the upload step, and changed scope that impacts the entire host.
The official GitHub Security Advisory GHSA-g872-jwwr-vggm and the accompanying patch (commit 3b1cc1c) state that the issue is resolved in Admidio 4.3.10 by adding proper file-type checks and preventing direct execution of uploaded attachments. Administrators should upgrade immediately and verify that the messages_attachments directory does not contain unexpected executable files.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0761 before receding to the current value of 0.0422, indicating a measurable but transient increase in exploitation interest after disclosure. No confirmed in-the-wild campaigns have been reported in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2344
Vulnerability details
Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to…
more
upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.