CVE-2024-57052

Critical

Published: 27 January 2025

Published

27 January 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0126 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.

Security Summary

CVE-2024-57052 is a privilege escalation vulnerability affecting youdiancms versions 9.5.20 and earlier. The issue stems from improper handling of the sessionID parameter in the index.php file, enabling remote attackers to escalate their privileges. It is associated with CWE-384 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Any remote attacker can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise through elevated privileges.

A related advisory is documented at https://gist.github.com/yahaha9/720fb45bbebda62dc198568c8d275df8.

Details

CWE(s): CWE-384

Affected Products

youdiancms

≤ 9.5.20

References

https://gist.github.com/yahaha9/720fb45bbebda62dc198568c8d275df8
Third Party Advisory · cve@mitre.org