CVE-2024-44849
published 2024-09-09CVE-2024-44849: Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
46.30%
98.7th percentile
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qualitor | qualitor | — | — |
| qualitor | qualitor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Qualitor ITSM login panel by matching the string 'Qualitor Web' in the HTTP response body with a 200 status code. ↗
- →Detect successful arbitrary file upload exploitation by checking the upload response body for 'parent.showQAlert(\'Upload' and 'showQAlert' with HTTP 200. ↗
- →The multipart upload boundary 'QUALITORspaceCVEspace2024space44849' is used in exploit PoC requests; presence in HTTP traffic is a strong indicator of active exploitation attempts. ↗
- →The form field 'cdfilestorage' is used in the malicious multipart upload request targeting the file storage endpoint. ↗
- ·The exploit path /html/ad/adfilestorage/request/{{filename}}.php uses a dynamically generated filename; defenders should monitor the entire directory /html/ad/adfilestorage/request/ for newly created PHP files rather than a single static filename. ↗
- ·CVE-2024-44849 affects Qualitor versions up to and including 8.24; versions beyond this range are not confirmed vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-phhc-p9jg-cvj3: Qualitor up to 8
ghsa_unreviewed·2024-09-09
CVE-2024-44849 [CRITICAL] CWE-434 GHSA-phhc-p9jg-cvj3: Qualitor up to 8
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
VulnCheck
Qualitor checkAcesso.php Remote Code Execution Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-44849 [CRITICAL] Qualitor checkAcesso.php Remote Code Execution Vulnerability
Qualitor checkAcesso.php Remote Code Execution Vulnerability
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
Affected: Qualitor Qualitor ITSM
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-08&host_type=src&vulnerability=cve-2024-44849; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-10&host_type=src&vulnerability=cve-2024-44849; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-14&host_type=src&vulnerability=cve-2024-44849; https://das
No detection rules found.
Nuclei
Qualitor ITSM - Detect
nuclei·CVSS 9.8
CVE-2024-44849 [CRITICAL] Qualitor ITSM - Detect
Qualitor ITSM - Detect
Qualitor ITSM login panel was detected.
Template:
id: qualitor-itsm-panel
info:
name: Qualitor ITSM - Detect
author: johnk3r
severity: info
description: Qualitor ITSM login panel was detected.
reference:
- https://github.com/projectdiscovery/nuclei-templates/blob/7ade904e3e23bde3e1f5bf721c3a0f4e3f128ae4/http/cves/2024/CVE-2024-44849.yaml
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cwe-id: CWE-200
metadata:
max-request: 1
shodan-query: http.favicon.hash:"-1217039701"
tags: panel,qualitor,discovery
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Qualitor Web"
- type: status
status:
- 200
# digest: 4a0a00473045022100ffbf7bbad2fb9776740678
Nuclei
Qualitor <= 8.24 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-44849 [CRITICAL] Qualitor <= 8.24 - Remote Code Execution
Qualitor
-----------------------------QUALITORspaceCVEspace2024space44849
Content-Disposition: form-data; name="cdfilestorage"
-----------------------------QUALITORspaceCVEspace2024space44849--
matchers:
- type: dsl
dsl:
- contains_all(body, "parent.showQAlert(\'Upload", "showQAlert")
- status_code == 200
condition: and
internal: true
- raw:
- |
GET /html/ad/adfilestorage/request/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"{{md5(num)}}")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402203360c732118325ed4eebc6e8af6a66c95eefcb55b73595e2b2466efb5f5f4b33022053455153eadfd1feb599abc83433c8d327801faef8452129c17384ff17ef706d:922c64590222798bb761d5b6d8e72950
2024-09-09
Published
Exploited in the wild