Cyber Resilience

CVE-2024-52004

High

Published: 08 November 2024

Published
08 November 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0665 91.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52004 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

MediaCMS is an open source video and media CMS written in Python/Django and React that exposes a REST API. CVE-2024-52004 is an injection vulnerability (CWE-74) caused by insufficient input validation during media uploads; all versions prior to 4.1.0 are affected when the instance permits user uploads, and successful exploitation can result in remote code execution.

An authenticated user who is allowed to upload content can supply specially crafted input that bypasses validation and executes arbitrary code on the server. The CVSS 4.0 score of 8.7 reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability without requiring user interaction.

The official advisory at GHSA-x3p4-4442-q2c3 states that the issue is fixed in version 4.1.0 and that no workarounds are known; administrators are advised to upgrade immediately. The associated EPSS score has remained flat at 0.0665 with no material increase since disclosure.

EU & UK References

Vulnerability details

MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are susceptible,…

more

and users are highly recommended to upgrade. The vulnerabilities are related with insufficient input validation while uploading media content. The condition to exploit the vulnerability is that the portal allows users to upload content. This issue has been patched in version 4.1.0. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

All
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References