CVE-2024-46210
Published: 10 January 2025
Summary
CVE-2024-46210 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Redaxo Redaxo. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-46210 is an arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS version 5.17.1. The flaw, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to execute arbitrary code by uploading a crafted file. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-10.
The vulnerability can be exploited over the network by attackers with high privileges, such as authenticated administrative users, requiring low complexity and no user interaction. Successful exploitation allows remote code execution, resulting in high impacts on confidentiality, integrity, and availability within the affected system's scope.
References include a GitHub Gist at https://gist.github.com/h4ckr4v3n/26eaa57d94f749b597ede8b404c234df and a research repository at https://github.com/h4ckr4v3n/research_redaxo_5_17_1.git. No specific mitigation or patch details from advisories are provided in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42205
Vulnerability details
An arbitrary file upload vulnerability in the MediaPool module of Redaxo CMS v5.17.1 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in Redaxo CMS MediaPool enables exploitation of a public-facing web application (T1190) to upload crafted PHP files for remote code execution, equivalent to deploying web shells (T1100, T1505.003). Authenticated RCE via templates and cronjobs further facilitates server-side code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents arbitrary file upload vulnerabilities by validating uploaded files in the MediaPool module for expected content, type, and format to block dangerous crafted files.
Enforces restrictions on file types and content at upload interfaces, mitigating unrestricted uploads of executable code in Redaxo CMS MediaPool.
Remediates the specific flaw in Redaxo CMS v5.17.1 MediaPool by timely identification, reporting, and patching to eliminate the arbitrary code execution vulnerability.