Vulnerability Details CVE-2024-32491
An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.4%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2024-32491
-
cpe:2.3:a:znuny:znuny:6.0.31
-
cpe:2.3:a:znuny:znuny:6.0.32
-
cpe:2.3:a:znuny:znuny:6.0.33
-
cpe:2.3:a:znuny:znuny:6.0.34
-
cpe:2.3:a:znuny:znuny:6.0.35
-
cpe:2.3:a:znuny:znuny:6.0.36
-
cpe:2.3:a:znuny:znuny:6.0.37
-
cpe:2.3:a:znuny:znuny:6.0.38
-
cpe:2.3:a:znuny:znuny:6.0.39
-
cpe:2.3:a:znuny:znuny:6.0.40
-
cpe:2.3:a:znuny:znuny:6.0.41
-
cpe:2.3:a:znuny:znuny:6.0.42
-
cpe:2.3:a:znuny:znuny:6.0.43
-
cpe:2.3:a:znuny:znuny:6.0.44
-
cpe:2.3:a:znuny:znuny:6.0.45
-
cpe:2.3:a:znuny:znuny:6.0.46
-
cpe:2.3:a:znuny:znuny:6.0.47
-
cpe:2.3:a:znuny:znuny:6.0.48
-
cpe:2.3:a:znuny:znuny:6.1.0
-
cpe:2.3:a:znuny:znuny:6.5.1
-
cpe:2.3:a:znuny:znuny:6.5.2
-
cpe:2.3:a:znuny:znuny:6.5.3
-
cpe:2.3:a:znuny:znuny:6.5.4
-
cpe:2.3:a:znuny:znuny:6.5.5
-
cpe:2.3:a:znuny:znuny:6.5.6
-
cpe:2.3:a:znuny:znuny:6.5.7
-
cpe:2.3:a:znuny:znuny:7.0.1
-
cpe:2.3:a:znuny:znuny:7.0.10
-
cpe:2.3:a:znuny:znuny:7.0.11
-
cpe:2.3:a:znuny:znuny:7.0.12
-
cpe:2.3:a:znuny:znuny:7.0.13
-
cpe:2.3:a:znuny:znuny:7.0.14
-
cpe:2.3:a:znuny:znuny:7.0.15
-
cpe:2.3:a:znuny:znuny:7.0.16
-
cpe:2.3:a:znuny:znuny:7.0.2
-
cpe:2.3:a:znuny:znuny:7.0.3
-
cpe:2.3:a:znuny:znuny:7.0.4
-
cpe:2.3:a:znuny:znuny:7.0.5
-
cpe:2.3:a:znuny:znuny:7.0.6
-
cpe:2.3:a:znuny:znuny:7.0.7
-
cpe:2.3:a:znuny:znuny:7.0.8
-
cpe:2.3:a:znuny:znuny:7.0.9