CVE-2024-57099
Published: 03 February 2025
Summary
CVE-2024-57099 is a critical-severity Code Injection (CWE-94) vulnerability in Classcms Classcms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
ClassCMS v4.8 contains a code execution vulnerability, identified as CVE-2024-57099 and associated with CWE-94. The flaw resides in the model management feature, where the classview parameter fails to properly sanitize inputs, enabling arbitrary code execution. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to high confidentiality, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious payload for the classview parameter, they can execute arbitrary code on the affected server, potentially gaining full control over the system.
Mitigation details are available in the referenced advisory at https://github.com/ClassCMS/ClassCMS/issues/6, published on 2025-02-03.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53532
Vulnerability details
ClassCMS v4.8 has a code execution vulnerability. Attackers can exploit this vulnerability by constructing a payload in the classview parameter of the model management feature, allowing them to execute arbitrary code and potentially take control of the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in public-facing web app via unsanitized parameter (CWE-94).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to sanitize the classview parameter by requiring validation of all information inputs to prevent arbitrary code execution.
Requires timely remediation of the specific code execution flaw in ClassCMS v4.8 model management feature via patching or correction.
Vulnerability scanning identifies the high-severity unauthenticated RCE in ClassCMS, enabling prioritization and remediation.