Cyber Resilience

CVE-2024-7928

MediumPublic PoC

Published: 19 August 2024

Published
19 August 2024
Modified
13 September 2024
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9180 99.7th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7928 is a medium-severity Path Traversal (CWE-22) vulnerability in Fastadmin Fastadmin. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-7928 is a path traversal vulnerability (CWE-22) affecting FastAdmin versions up to 1.3.3.20220121. It resides in the /index/ajax/lang endpoint, where unsanitized input to the lang parameter allows an attacker to traverse directories on the server filesystem.

The flaw can be triggered remotely by an authenticated user with low privileges. Successful exploitation yields limited read access to arbitrary files outside the intended application directory, though it does not permit modification or service disruption.

Public advisories and the project maintainers state that the issue is resolved by upgrading to version 1.3.4.20220530; the exploit code has already been published, and the current EPSS score of 0.918 (peak 0.929) reflects sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may…

more

be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fastadmin
fastadmin
≤ 1.3.4.20220530

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References