cbcvebase.
CVE-2024-42640
published 2024-10-11

CVE-2024-42640: angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
43.68%
98.6th percentile
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Detection & IOCsextracted from sources · hover to see the quote

path/node_modules/angular-base64-upload/demo/server.php
path/bower_components/angular-base64-upload/demo/server.php
path/node_modules/angular-base64-upload/demo/uploads/
path/bower_components/angular-base64-upload/demo/uploads/
path/bower_components/angular-base64-upload/demo/index.html
path/node_modules/angular-base64-upload/demo/index.html
filenameserver.php
  • Alert on HTTP GET requests to demo/uploads/ paths under angular-base64-upload directories, which indicate execution of a previously uploaded payload
  • Monitor for outbound HTTP GET requests to raw.githubusercontent.com fetching php-reverse-shell during exploitation, indicating the attacker is staging a reverse shell payload
  • Flag HTTP responses from demo/uploads/ containing PHP execution output (e.g. cmd parameter responses), indicating successful webshell execution via ?cmd= query string
  • Nuclei template matcher: flag responses where body contains 'uploads/<filename>.php' with HTTP 200 from the server.php endpoint, confirming successful file upload
  • ·The vulnerability only exists in the demo/ directory which should never be deployed to production; exploitation requires the demo files (server.php, uploads/) to be publicly accessible on the server
  • ·The exploit targets both bower_components and node_modules installation paths; detection rules must cover both directory prefixes to avoid blind spots

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.