Skip to main content

Funadmin CVE-2024-48224

MEDIUM
Path Traversal (CWE-22)
2024-10-25 cve@mitre.org
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 25, 2024 - 21:15 nvd
MEDIUM 4.9

DescriptionNVD

Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile.

AnalysisAI

Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile. Affected products include: Funadmin.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2023-36097 CRITICAL POC
9.8 Jun 22

funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install. Rated critical severity (CVSS

CVE-2023-24774 CRITICAL POC
9.8 Mar 10

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \controller\au

CVE-2023-24777 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list. R

CVE-2023-24782 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit

CVE-2023-24773 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list

CVE-2023-24780 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns

CVE-2023-24775 CRITICAL POC
9.8 Mar 07

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member

CVE-2023-24781 CRITICAL POC
9.8 Mar 07

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member

CVE-2023-24776 CRITICAL POC
9.8 Mar 06

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addo

CVE-2024-48230 HIGH POC
7.2 Oct 25

funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\a

CVE-2024-48226 HIGH POC
7.2 Oct 25

Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield. Rated high severity (CVSS 7.2), this vulnerabilit

CVE-2024-48223 HIGH POC
7.2 Oct 25

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist. Rated high severity (CVSS 7.2), this vulnera

Share

CVE-2024-48224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy