CVE-2024-50658

Critical

Published: 07 January 2025

Published

07 January 2025

Modified

24 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0262 85.7th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file

Security Summary

CVE-2024-50658 is a Server-Side Template Injection (SSTI) vulnerability, classified under CWE-94, affecting AdPortal version 3.0.39. The issue resides in the updateuserinfo.html file, where the shippingAsBilling and firstname parameters can be manipulated to enable arbitrary code execution. It received a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote attacker requires no authentication to exploit this vulnerability over the network. Successful exploitation grants the attacker the ability to execute arbitrary code on the server, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability as per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advisories and further details are referenced at http://adportal.com, http://ipublish.com, and https://petercipolone.info/wp-content/uploads/2025/01/iPublishMedia_AdPortal3.0.39_CVEs.pdf, published on 2025-01-07.

Details

CWE(s): CWE-94

Affected Products

ipublishmedia

adportal

3.0.39

References

http://adportal.com
Broken Link · cve@mitre.org
http://ipublish.com
Broken Link · cve@mitre.org
https://petercipolone.info/wp-content/uploads/2025/01/iPublishMedia_AdPortal3.0.39_CVEs.pdf
Broken Link · cve@mitre.org