CVE-2024-2636 CRITICAL

CVE-2024-2636: Multiple vulnerabilities on Meta4 HR from Cegid

Vendor Cegid
Product Meta4 HR
Weakness CWE-434 · Unrestricted file upload
Published March 19, 2024
Last update August 13, 2024

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An Unrestricted Upload of File vulnerability has been found on Cegid Meta4 HR, that allows an attacker to upload malicios files to the server via '/config/espanol/update_password.jsp' file. Modifying the 'M4_NEW_PASSWORD' parameter, an attacker could store a malicious JSP file inside the file directory, to be executed the the file is loaded in the application.

Key dates

02Disclosure timeline

March 19, 2024 CVE published
August 13, 2024 Record updated