CVE-2024-56828

{"id": "CVE-2024-56828", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-01-06T18:15:23.467", "references": [{"url": "https://gitee.com/liweiyi/ChestnutCMS", "source": "cve@mitre.org"}, {"url": "https://github.com/Zerone0x00/CVE/blob/main/ChestnutCMS/CVE-2024-56828.md", "source": "cve@mitre.org"}, {"url": "https://www.1000mz.com/", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks."}, {"lang": "es", "value": "Vulnerabilidad de carga de archivos en ChestnutCMS hasta la versi\u00f3n 1.5.0. Seg\u00fan el an\u00e1lisis del c\u00f3digo, se determin\u00f3 que el endpoint de la API /api/member/avatar recibe una cadena base64 como entrada. Esta cadena se pasa luego al m\u00e9todo memberService.uploadAvatarByBase64 para su procesamiento. Dentro del servicio, se analiza la imagen codificada en base64. Por ejemplo, dada una cadena como: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= el contenido despu\u00e9s de la coma se extrae y se decodifica utilizando Base64.getDecoder().decode(). La subcadena desde el und\u00e9cimo car\u00e1cter hasta la primera aparici\u00f3n de un punto y coma (;) se asigna a la variable de sufijo (que representa la extensi\u00f3n del archivo). Luego, el contenido decodificado se escribe en un archivo. Sin embargo, la extensi\u00f3n del archivo no est\u00e1 validada y, dado que esta funcionalidad est\u00e1 expuesta al frontend, plantea riesgos de seguridad importantes."}], "lastModified": "2025-01-14T21:15:11.817", "sourceIdentifier": "cve@mitre.org"}