CVE-2024-58280
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: VulnCheck

Description
CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cmsimple cmsimple 5.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-403 A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, immediately restrict or review user permissions to prevent authenticated users from modifying file extensions. Disable or restrict the ability to append ',php' to Extensions_userfiles. Monitor and control file uploads to the media directory, ensuring that only safe file types are allowed. Additionally, scan the media directory for any suspicious PHP files and remove them. Applying any available patches or updates from CMSimple is also recommended.

Executive Summary

This vulnerability in CMSimple 5.15 allows authenticated attackers to perform remote command execution by modifying file extensions and uploading malicious PHP files. Specifically, attackers can append ',php' to the Extensions_userfiles setting and upload a shell script to the media directory, enabling them to execute arbitrary code on the server.

Impact Analysis

The vulnerability can lead to unauthorized remote code execution on the affected server, potentially allowing attackers to take control of the server, access sensitive data, modify or delete files, and disrupt services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart