Cyber Resilience

CVE-2024-46377

Critical

Published: 18 September 2024

Published
18 September 2024
Modified
16 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2210 95.9th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46377 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Mayurik Best House Rental Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Best House Rental Management System version 1.0 is affected by an arbitrary file upload vulnerability tracked as CVE-2024-46377. The flaw resides in the save_settings() function within rental/admin_class.php and is classified under CWE-434. It received a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with low attack complexity and no required privileges or user interaction.

An unauthenticated remote attacker can upload arbitrary files through the vulnerable function, enabling them to achieve full confidentiality, integrity, and availability impacts on the affected system. The published EPSS score stands at 0.2210 with no indicated change from its peak value.

The single reference points to a GitHub repository containing further technical details on the issue, though no official vendor advisory or patch information is available in the provided sources.

EU & UK References

Vulnerability details

Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the save_settings() function of the file rental/admin_class.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in web application enables exploitation of public-facing application (T1190) and facilitates deployment of web shells for execution (T1100) and persistence (T1505.003).

Affected Assets

mayurik
best house rental management system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References