CVE-2024-7928
Published: 19 August 2024
Summary
CVE-2024-7928 is a medium-severity Path Traversal (CWE-22) vulnerability in Fastadmin Fastadmin. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-7928 is a path traversal vulnerability (CWE-22) affecting FastAdmin versions up to 1.3.3.20220121. It resides in the /index/ajax/lang endpoint, where unsanitized input to the lang parameter allows an attacker to traverse directories on the server filesystem.
The flaw can be triggered remotely by an authenticated user with low privileges. Successful exploitation yields limited read access to arbitrary files outside the intended application directory, though it does not permit modification or service disruption.
Public advisories and the project maintainers state that the issue is resolved by upgrading to version 1.3.4.20220530; the exploit code has already been published, and the current EPSS score of 0.918 (peak 0.929) reflects sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48768
Vulnerability details
A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may…
more
be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.