CVE-2024-58280
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cmsimple | cmsimple | 5.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-403 | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately restrict or review user permissions to prevent authenticated users from modifying file extensions. Disable or restrict the ability to append ',php' to Extensions_userfiles. Monitor and control file uploads to the media directory, ensuring that only safe file types are allowed. Additionally, scan the media directory for any suspicious PHP files and remove them. Applying any available patches or updates from CMSimple is also recommended.
Can you explain this vulnerability to me?
This vulnerability in CMSimple 5.15 allows authenticated attackers to perform remote command execution by modifying file extensions and uploading malicious PHP files. Specifically, attackers can append ',php' to the Extensions_userfiles setting and upload a shell script to the media directory, enabling them to execute arbitrary code on the server.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized remote code execution on the affected server, potentially allowing attackers to take control of the server, access sensitive data, modify or delete files, and disrupt services.