CVE-2024-57099

CriticalPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0117 78.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ClassCMS v4.8 has a code execution vulnerability. Attackers can exploit this vulnerability by constructing a payload in the classview parameter of the model management feature, allowing them to execute arbitrary code and potentially take control of the server.

Security Summary

ClassCMS v4.8 contains a code execution vulnerability, identified as CVE-2024-57099 and associated with CWE-94. The flaw resides in the model management feature, where the classview parameter fails to properly sanitize inputs, enabling arbitrary code execution. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious payload for the classview parameter, they can execute arbitrary code on the affected server, potentially gaining full control over the system.

Mitigation details are available in the referenced advisory at https://github.com/ClassCMS/ClassCMS/issues/6, published on 2025-02-03.

Details

CWE(s): CWE-94

Affected Products

classcms

4.8

References

https://github.com/ClassCMS/ClassCMS/issues/6
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org