What is the CVSS score of CVE-2024-1297?

CVE-2024-1297 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.5%.

Which versions of Loomio are affected by CVE-2024-1297?

Loomio 2.22.0 contains a high-severity command injection vulnerability (CVSS 7.2) that requires authenticated administrator access to exploit.

Is there a public PoC exploit available for CVE-2024-1297?

Yes, a public proof-of-concept exploit is available for CVE-2024-1297. Prioritise patching immediately. EPSS: 1.5%.

How to fix or mitigate CVE-2024-1297?

Within 24 hours: Identify all Loomio 2.22.0 instances in use; restrict administrative access to essential personnel only; enable command-line logging and process monitoring on affected servers. Within 7 days: Evaluate upgrade to patched Loomio version (2.23.0 or later if available and patched) or alternative collaboration platform; implement network segmentation to isolate affected systems. Within 30 days: Complete migration or upgrade to non-vulnerable version; implement privilege access management (PAM) controls; conduct full audit of administrative account activity for indicators of compromise.

Loomio CVE-2024-1297

HIGH

OS Command Injection (CWE-78)

2024-02-20 help@fluidattacks.com

Command Injection Loomio

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

DescriptionCVE.org

Loomio version 2.22.0 allows executing arbitrary commands on the server.

This is possible because the application is vulnerable to OS Command Injection.

AnalysisAI

OS command injection in Loomio 2.22.0 allows authenticated high-privilege users to execute arbitrary operating system commands on the underlying server. Publicly available exploit code exists, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV. EPSS sits at 1.51% (81st percentile), indicating moderate but non-trivial exploitation likelihood.

Technical ContextAI

Loomio is an open-source collaborative decision-making and group discussion platform, commonly self-hosted by organizations, cooperatives, and community groups for facilitating proposals, votes, and threaded discussions. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection'), meaning user-controllable input is passed to a system shell or command execution function without adequate sanitization or escaping. CPE data confirms the impacted product is cpe:2.3:a:loomio:loomio:2.22.0, narrowly pinpointing version 2.22.0 of the Loomio web application as the vulnerable artifact.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; administrators should consult the Loomio project on GitHub and the upstream maintainers for the latest fixed release and upgrade beyond 2.22.0 once available. In the interim, restrict and audit accounts that hold the high-privilege role required for exploitation, rotate administrative credentials, enforce strong authentication and MFA on admin accounts, and place the Loomio instance behind a VPN or IP allowlist to limit who can reach administrative interfaces (trade-off: reduces convenience for distributed admins). Monitor application and host logs for unexpected process execution originating from the Loomio service account, and consider running the application under a constrained service user or container with no shell utilities to reduce post-exploitation impact (trade-off: may break legitimate features that shell out).

CVE-2024-1297 vulnerability details – vuln.today

Back

Loomio CVE-2024-1297

Severity by source

CVSS VectorNVD

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code