CVE-2024-37295 HIGH

CVE-2024-37295: Aimeos Core remote code execution in web server context

Vendor Aimeos
Product aimeos-core
Weakness CWE-73
Published June 11, 2024
Last update August 2, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue.

Key dates

02Disclosure timeline

June 11, 2024 CVE published
August 2, 2024 Record updated