CVE-2024-41304

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-41304
An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 4.7

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting Exploit Third Party Advisory
https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wondercms:wondercms:3.4.3:*:*:*:*:*:*:*
History

11 Apr 2025, 15:14

Type Values Removed Values Added
CPE cpe:2.3:a:wondercms:wondercms:3.4.3:*:*:*:*:*:*:*
First Time Wondercms
Wondercms wondercms
References () https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting - () https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting - Exploit, Third Party Advisory

21 Nov 2024, 09:32

Type Values Removed Values Added
References () https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting - () https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting -

23 Aug 2024, 16:35

Type Values Removed Values Added
CWE CWE-94
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4

31 Jul 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de carga de archivos arbitrarios en la función uploadFileAction() de WonderCMS v3.4.3 permite a los atacantes ejecutar código arbitrario a través de un archivo SVG manipulado.

30 Jul 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-30 18:15

Updated : 2025-04-11 15:14

NVD link : CVE-2024-41304

Mitre link : CVE-2024-41304

CVE.ORG link : CVE-2024-41304

JSON object : View

Products Affected

wondercms

  • wondercms
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')