CVE-2024-4836 HIGH

CVE-2024-4836: LFI in sites managed by Edito CMS

Vendor Edito
Product Edito CMS
Weakness CWE-552 · Files accessible externally
Published July 2, 2024
Last update August 1, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Web services managed by Edito CMS (Content Management System) in versions from 3.5 through 3.25 leak sensitive data as they allow downloading configuration files by an unauthenticated user. The issue in versions 3.5 - 3.25 was removed in releases which dates from 10th of January 2014. Higher versions were never affected.

Key dates

02Disclosure timeline

July 2, 2024 CVE published
August 1, 2024 Record updated