CVE-2024-53345
Published: 07 January 2025
Summary
CVE-2024-53345 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Car Rental Management (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An authenticated arbitrary file upload vulnerability exists in Car Rental Management System versions 1.0 through 1.3. Tracked as CVE-2024-53345 and assigned CWE-434, the flaw permits an attacker to upload a crafted file that results in arbitrary code execution. It received a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and low-privileged access without user interaction.
An authenticated user can exploit the weakness to upload and execute malicious files on the affected system, achieving full control over confidentiality, integrity, and availability of the application and underlying host. The published EPSS score remains flat at 0.0891 with no material increase since disclosure.
Public references consist of a placeholder vendor domain and a GitHub repository containing exploit details; no official advisories or patch information are provided in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51952
Vulnerability details
An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web app directly enables RCE via web shell deployment.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the specific flaw enabling authenticated arbitrary file uploads leading to code execution.
Mandates validation of information inputs such as uploaded files to block crafted malicious content from being accepted and executed.
Deploys malicious code protection like scanning to prevent or identify execution of arbitrary code from uploaded crafted files.