CVE-2024-56828

CVE-2024-56828 is an unrestricted file upload vulnerability (CWE-434) in ChestnutCMS through version 1.5.0. The issue affects the /api/member/avatar API endpoint, which accepts a base64-encoded string as input for avatar uploads. This string is processed by the memberService.uploadAvatarByBase64 method, where the content after the comma is base64-decoded and written to a file. The file extension is derived from the substring starting at the 11th character up to the first semicolon in the MIME type prefix (e.g., "image/html" from "data:image/html;base64,..."), but it is not validated, enabling arbitrary file types to be stored on the server.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An attacker can send a crafted base64 payload via the exposed frontend endpoint, such as "data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4=", resulting in the decoded malicious content (e.g., HTML with JavaScript) being saved with an unvalidated extension. This allows high-impact outcomes including arbitrary file writes, potential remote code execution, and server compromise.

Advisories and related resources, including the ChestnutCMS Gitee repository (https://gitee.com/liweiyi/ChestnutCMS), a GitHub proof-of-concept (https://github.com/Zerone0x00/CVE/blob/main/ChestnutCMS/CVE-2024-56828.md), and details on 1000mz.com (https://www.1000mz.com/), provide code analysis and exploitation demonstrations but do not specify patches or mitigations in the available information.