CVE-2024-52004
Published: 08 November 2024
Summary
CVE-2024-52004 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
MediaCMS is an open source video and media CMS written in Python/Django and React that exposes a REST API. CVE-2024-52004 is an injection vulnerability (CWE-74) caused by insufficient input validation during media uploads; all versions prior to 4.1.0 are affected when the instance permits user uploads, and successful exploitation can result in remote code execution.
An authenticated user who is allowed to upload content can supply specially crafted input that bypasses validation and executes arbitrary code on the server. The CVSS 4.0 score of 8.7 reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability without requiring user interaction.
The official advisory at GHSA-x3p4-4442-q2c3 states that the issue is fixed in version 4.1.0 and that no workarounds are known; administrators are advised to upgrade immediately. The associated EPSS score has remained flat at 0.0665 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45812
Vulnerability details
MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are susceptible,…
more
and users are highly recommended to upgrade. The vulnerabilities are related with insufficient input validation while uploading media content. The condition to exploit the vulnerability is that the portal allows users to upload content. This issue has been patched in version 4.1.0. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.