CVE-2024-56828
Published: 06 January 2025
Summary
CVE-2024-56828 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in 1000Mz Chestnutcms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unvalidated base64 decoding and file extension extraction in the /api/member/avatar endpoint by enforcing input validation mechanisms to confirm only legitimate image content.
Prevents arbitrary file uploads by restricting inputs at the API boundary to whitelisted MIME types and formats appropriate for avatars, blocking malicious payloads like HTML with JavaScript.
Requires timely remediation of the specific flaw in memberService.uploadAvatarByBase64, patching the lack of file type validation to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing ChestnutCMS API endpoint (/api/member/avatar) with insufficient validation enables exploitation of a public-facing web application.
NVD Description
File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service,…
more
the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks.
Deeper analysisAI
CVE-2024-56828 is an unrestricted file upload vulnerability (CWE-434) in ChestnutCMS through version 1.5.0. The issue affects the /api/member/avatar API endpoint, which accepts a base64-encoded string as input for avatar uploads. This string is processed by the memberService.uploadAvatarByBase64 method, where the content after the comma is base64-decoded and written to a file. The file extension is derived from the substring starting at the 11th character up to the first semicolon in the MIME type prefix (e.g., "image/html" from "data:image/html;base64,..."), but it is not validated, enabling arbitrary file types to be stored on the server.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An attacker can send a crafted base64 payload via the exposed frontend endpoint, such as "data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4=", resulting in the decoded malicious content (e.g., HTML with JavaScript) being saved with an unvalidated extension. This allows high-impact outcomes including arbitrary file writes, potential remote code execution, and server compromise.
Advisories and related resources, including the ChestnutCMS Gitee repository (https://gitee.com/liweiyi/ChestnutCMS), a GitHub proof-of-concept (https://github.com/Zerone0x00/CVE/blob/main/ChestnutCMS/CVE-2024-56828.md), and details on 1000mz.com (https://www.1000mz.com/), provide code analysis and exploitation demonstrations but do not specify patches or mitigations in the available information.
Details
- CWE(s)