CVE-2024-57450

CriticalPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 43.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function.

Security Summary

CVE-2024-57450 is an unrestricted file upload vulnerability in ChestnutCMS versions up to and including 1.5.0, exploitable via the Create template function and mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2025-02-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability enables exploitation by any remote, unauthenticated attacker over the network with low complexity and no user interaction required. Attackers can upload arbitrary files through the affected function, achieving high-impact compromise including unauthorized access to sensitive data, modification of system files, and disruption of services.

Mitigation guidance is available in the referenced advisory at https://locrian-lightning-dc7.notion.site/File-Upload-1628e5e2b1a2806a99b8faf140bd5e42.

Details

CWE(s): CWE-434

Affected Products

1000mz

chestnutcms

≤ 1.5.0

References

https://locrian-lightning-dc7.notion.site/File-Upload-1628e5e2b1a2806a99b8faf140bd5e42
Exploit, Third Party Advisory · cve@mitre.org