CVE-2024-37295 - Vulnerability Details - OpenCVE

Description

Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue.

Published: 2024-06-11

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aimeos

aimeos-core

affected

Version	Status	Constraints
`>= 2024.04.1, < 2024.04.5`	affected	—

No data.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-2159	Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue.
Github GHSA	GHSA-rhc2-23c2-ww7c	Remote code execution in web server context

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00132.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c

History

No history.

Subscriptions

Aimeos Aimeos-core

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-11T14:38:17.416Z

Updated: 2024-08-02T03:50:56.094Z

Reserved: 2024-06-05T20:10:46.496Z

Link: CVE-2024-37295

Vulnrichment

Updated: 2024-06-11T17:22:29.388Z

NVD

Status : Deferred

Published: 2024-06-11T15:16:09.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-37295

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-73

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37295", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-05T20:10:46.496Z", "datePublished": "2024-06-11T14:38:17.416Z", "dateUpdated": "2024-08-02T03:50:56.094Z"}, "containers": {"cna": {"title": "Aimeos Core remote code execution in web server context", "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c"}], "affected": [{"vendor": "aimeos", "product": "aimeos-core", "versions": [{"version": ">= 2024.04.1, < 2024.04.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-11T14:38:17.416Z"}, "descriptions": [{"lang": "en", "value": "Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue."}], "source": {"advisory": "GHSA-rhc2-23c2-ww7c", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "aimeos", "product": "aimeos-core", "cpes": ["cpe:2.3:a:aimeos:aimeos-core:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2024.01.1", "status": "affected", "lessThan": "2024.04.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T17:22:47.879934Z", "id": "CVE-2024-37295", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:22:52.398Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:50:56.094Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37295", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-05T20:10:46.496Z", "datePublished": "2024-06-11T14:38:17.416Z", "dateUpdated": "2024-06-11T17:22:52.398Z"}, "containers": {"cna": {"title": "Aimeos Core remote code execution in web server context", "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aimeos/aimeos-core/security/advisories/GHSA-rhc2-23c2-ww7c"}], "affected": [{"vendor": "aimeos", "product": "aimeos-core", "versions": [{"version": ">= 2024.04.1, < 2024.04.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-11T14:38:17.416Z"}, "descriptions": [{"lang": "en", "value": "Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue."}], "source": {"advisory": "GHSA-rhc2-23c2-ww7c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37295", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-11T17:22:47.879934Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:aimeos:aimeos-core:*:*:*:*:*:*:*:*"], "vendor": "aimeos", "product": "aimeos-core", "versions": [{"status": "affected", "version": "2024.01.1", "lessThan": "2024.04.5", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:22:29.388Z"}}]}}