CVE-2024-11979 CRITICAL

CVE-2024-11979: Interinfo DreamMaker - Unrestricted File Upload through Path Traversal

Vendor Interinfo

Product DreamMaker

Weakness CWE-434 · Unrestricted file upload

Published November 29, 2024

Last update December 3, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

DreamMaker from Interinfo has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

Key dates

02Disclosure timeline

November 29, 2024 CVE published

December 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-11979 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/434.html

Related vulnerabilities

04Related CVE

CVE-2025-62182 Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. CVE-2024-11984 SUNNET Corporate Training Management System - Unrestricted Upload of File with Dangerous Type CVE-2021-21014 Magento Commerce Arbitrary Folder Empty Could Lead To Arbitrary Code Execution CVE-2024-20272 CVE-2013-10032 GetSimple CMS 3.2.1 Authenticated RCE via Arbitrary PHP File Upload