CVE-2024-39171
Published: 09 July 2024
Summary
CVE-2024-39171 is a critical-severity Path Traversal (CWE-22) vulnerability in Phpvibe Phpvibe. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37857
Vulnerability details
Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal vulnerability in PHPVibe upload endpoints (upload-ffmpeg.php, etc.) allows arbitrary file writes to web paths (e.g., .htaccess modifications and PHP code in .png files), enabling remote code execution via exploitation of a public-facing web application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.