CVE-2024-23826

MEDIUM

spbu_se_site < 2024.01.29 - Authenticated Denial of Service via Large Unicode Filename Upload

Title source: llm

Description

spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/spbu-se/spbu_se_site/security/advisories/GHSA-5vfc-v7hg-pvwm

Patch x_refsource_misc

https://github.com/spbu-se/spbu_se_site/commit/5ad623eb0405260763046343c5785bc588d8a57d

View Patch ZIP pw:eip

Scores

CVSS v3 6.8

EPSS 0.0045

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

se.math.spbu/spbu_se_site < 2024.01.29

Published Jan 29, 2024

Tracked Since Feb 18, 2026