CVE-2024-57452

CVE-2024-57452 is an arbitrary file deletion vulnerability affecting ChestnutCMS versions up to and including 1.5.0. The issue resides in the contentcore.controller.FileController component, enabling attackers to delete any file or folder on the server. It has been assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-552 (Files or Directories Accessible to External Parties). The vulnerability was published on 2025-02-03.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files and folders, resulting in high integrity impact but no confidentiality or availability disruption. This could lead to denial of core site functionality, data loss, or further compromise if critical system files are targeted.

Advisories providing further details, including potential mitigation guidance, are available at the referenced Notion pages: https://locrian-lightning-dc7.notion.site/File-Delete-1628e5e2b1a280cfb497de7b8bcff128.