CVE-2024-46479

CVE-2024-46479 is an arbitrary file upload vulnerability affecting Venki Supravizio BPM through version 18.0.1. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows an authenticated attacker to upload a malicious file, potentially leading to remote code execution on the targeted system. The vulnerability was published on 2025-01-13 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, low privileges required, and high impact across confidentiality, integrity, and availability with a changed scope.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By uploading a specially crafted malicious file through the affected component, the attacker achieves remote code execution, enabling full system compromise including data theft, modification, or further lateral movement within the environment.

Details on the vulnerability, including research findings, are documented in advisories available at https://github.com/Lorenzo-de-Sa/Vulnerability-Research and https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46479.md, with the vendor page at https://www.venki.com.br/ferramenta-bpm/supravizio/. No specific patch or mitigation guidance is detailed in the available CVE information.