CVE-2024-50658
Published: 07 January 2025
Summary
CVE-2024-50658 is a critical-severity Code Injection (CWE-94) vulnerability in Ipublishmedia Adportal. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-50658 is a Server-Side Template Injection vulnerability affecting AdPortal version 3.0.39. The flaw resides in the updateuserinfo.html file and can be triggered through the shippingAsBilling and firstname parameters, allowing generation of attacker-controlled code on the server (CWE-94). It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.
An unauthenticated remote attacker can supply malicious input to these parameters and achieve arbitrary code execution on the underlying server, resulting in full confidentiality, integrity, and availability impact on the affected AdPortal instance.
The provided references point to vendor sites for AdPortal and iPublish Media along with a technical report detailing the issues, but contain no explicit statements on patches or configuration changes for mitigation. The associated EPSS score reached a peak of 0.0579 before receding to its current value of 0.0352, indicating limited sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44612
Vulnerability details
Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing web app directly enables remote exploitation for arbitrary code execution (T1190) and subsequent use of command/script interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the SSTI vulnerability in AdPortal 3.0.39 by identifying, reporting, and patching the specific code flaw in updateuserinfo.html.
Information input validation enforces sanitization and validation of untrusted inputs like shippingAsBilling and firstname parameters to block SSTI payloads before template processing.
Boundary protection implements web application firewalls or proxies to inspect and filter network traffic for SSTI attack patterns targeting the vulnerable endpoint.