CVE-2024-40400
Automad arbitrary file upload vulnerability
6.8
MEDIUM
CVSS 3.1
EPSS 2.7%
Description
An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file. The malicious file has to be prepared and uploaded manually by the admin. Usually there is only one admin per site and that is the owner.
How to fix CVE-2024-40400
To remediate CVE-2024-40400, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.0-alpha.5 or later
Is CVE-2024-40400 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.0.0-alpha.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |