CVE-2024-57407

CVE-2024-57407 is an arbitrary file upload vulnerability in the /userPicture component of Timo v2.0.3. Published on 2025-02-10, it allows attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

The attack scenario requires an attacker to have low privileges, such as an authenticated user, along with network access and user interaction to trigger the upload. By exploiting the /userPicture endpoint with a malicious file, the attacker can achieve arbitrary code execution on the server, compromising data confidentiality and integrity without affecting availability.

Advisories and further details on mitigation are provided in the following references: https://gist.github.com/kaoniniang2/71f6a39535490ea2eeac371f33faec9c and https://gitee.com/aun/Timo/issues/IBBTZI.