CVE-2024-9794
published 2024-10-10CVE-2024-9794: A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1.0. This issue affects some unknown processing of the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.63%
45.7th percentile
A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1.0. This issue affects some unknown processing of the file /update-image1.php. The manipulation of the argument productimage1 leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codezips | online_shopping_portal | — | — |
| widgetti | solara | >= 0 < 1.35.1 | 1.35.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qfr4-qjvr-4v26: A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1
ghsa_unreviewed·2024-10-10
CVE-2024-9794 [MEDIUM] CWE-434 GHSA-qfr4-qjvr-4v26: A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1
A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1.0. This issue affects some unknown processing of the file /update-image1.php. The manipulation of the argument productimage1 leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
GHSA
Local File Inclusion in Solara
ghsa·2024-07-12·CVSS 7.5
CVE-2024-39903 [HIGH] CWE-22 Local File Inclusion in Solara
Local File Inclusion in Solara
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.
### References
- https://github.com/widgetti/solara/security/advisories/GHSA-9794-pc4r-438w
- https://github.com/widgetti/solara/commit/df2fd66a7f4e8ffd36e8678697a8a4f76760dc54
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39903
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-10
Published