Cyber Posture

CVE-2024-50658

CriticalRCE

Published: 07 January 2025

Published
07 January 2025
Modified
24 June 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0262 85.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50658 is a critical-severity Code Injection (CWE-94) vulnerability in Ipublishmedia Adportal. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly addresses the SSTI vulnerability in AdPortal 3.0.39 by identifying, reporting, and patching the specific code flaw in updateuserinfo.html.

SI-10 Information Input Validation good match
prevent

Information input validation enforces sanitization and validation of untrusted inputs like shippingAsBilling and firstname parameters to block SSTI payloads before template processing.

SC-7 Boundary Protection good match
prevent

Boundary protection implements web application firewalls or proxies to inspect and filter network traffic for SSTI attack patterns targeting the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

SSTI in public-facing web app directly enables remote exploitation for arbitrary code execution (T1190) and subsequent use of command/script interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file

Deeper analysisAI

CVE-2024-50658 is a Server-Side Template Injection (SSTI) vulnerability, classified under CWE-94, affecting AdPortal version 3.0.39. The issue resides in the updateuserinfo.html file, where the shippingAsBilling and firstname parameters can be manipulated to enable arbitrary code execution. It received a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote attacker requires no authentication to exploit this vulnerability over the network. Successful exploitation grants the attacker the ability to execute arbitrary code on the server, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability as per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advisories and further details are referenced at http://adportal.com, http://ipublish.com, and https://petercipolone.info/wp-content/uploads/2025/01/iPublishMedia_AdPortal3.0.39_CVEs.pdf, published on 2025-01-07.

Details

CWE(s)
CWE-94

Affected Products

ipublishmedia
adportal
3.0.39

CVEs Like This One

CVE-2024-50660Same product: Ipublishmedia Adportal
CVE-2025-22906Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2024-9132Shared CWE-94
CVE-2026-32525Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2025-70830Shared CWE-94
CVE-2024-55028Shared CWE-94
CVE-2025-26936Shared CWE-94
CVE-2026-6543Shared CWE-94

References