CVE-2024-29272

Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0	Patch
https://github.com/givanz/VvvebJs/issues/343	Exploit Third Party Advisory Issue Tracking
https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0	Patch
https://github.com/givanz/VvvebJs/issues/343	Exploit Third Party Advisory Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:vvveb:vvvebjs:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-03-22 04:15

Updated : 2025-05-28 19:00

NVD link : CVE-2024-29272

Mitre link : CVE-2024-29272

CVE.ORG link : CVE-2024-29272

JSON object : View

Products Affected

vvveb

vvvebjs

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-29272", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-03-22T04:15:11.663", "references": [{"url": "https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/givanz/VvvebJs/issues/343", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/givanz/VvvebJs/issues/343", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php."}, {"lang": "es", "value": "Vulnerabilidad de carga arbitraria de archivos en VvvebJs anterior a la versi\u00f3n 1.7.5, permite a atacantes remotos no autenticados ejecutar c\u00f3digo arbitrario y obtener informaci\u00f3n confidencial a trav\u00e9s del par\u00e1metro sanitizeFileName en save.php."}], "lastModified": "2025-05-28T19:00:50.340", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vvveb:vvvebjs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4EA18A7-117E-4071-A02E-2CAF99E0D703", "versionEndExcluding": "1.7.5"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}