CVE-2024-55028
Published: 25 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2024-55028 is a template injection vulnerability in the Dashboard component of NASA Fprime version 3.4.3. The issue, classified under CWE-94 (Code Injection), enables attackers to execute arbitrary code by uploading a specially crafted Vue file. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability can be exploited by remote, unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants attackers the ability to execute arbitrary code on the affected system, compromising confidentiality, integrity, and availability to a high degree.
Advisories are available at https://visionspace.com/remote-code-execution-and-critical-vulnerabilities-in-nasa-fprime-v3-4-3/, which details this remote code execution flaw alongside other critical vulnerabilities in NASA Fprime v3.4.3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated RCE via template injection and crafted file upload in a web dashboard component directly enables exploitation of public-facing applications (T1190) and arbitrary code execution through command/scripting interpreters (T1059).