CVE-2023-3234
published 2023-06-14CVE-2023-3234: A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.17%
63.4th percentile
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-231505 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crmeb | crmeb | <= 4.6.0 | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
| zhong_bang | crmeb | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Chuanhu Chat - Directory Traversal
nuclei·CVSS 7.5
CVE-2024-3234 [MEDIUM] Chuanhu Chat - Directory Traversal
Chuanhu Chat - Directory Traversal
The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
Template:
id: CVE-2024-3234
info:
name: Chuanhu Chat - Directory Traversal
author: DhiyaneshDk
severity: critical
description: |
The gaizhenbiao/chuanhuc
No writeups or analysis indexed.
https://github.com/HuBenLab/HuBenVulList/blob/main/CRMEB%20is%20vulnerable%20to%20deserialization.mdhttps://vuldb.com/?ctiid.231505https://vuldb.com/?id.231505https://github.com/HuBenLab/HuBenVulList/blob/main/CRMEB%20is%20vulnerable%20to%20deserialization.mdhttps://vuldb.com/?ctiid.231505https://vuldb.com/?id.231505
2023-06-14
Published