CVE-2024-24724

CRITICAL

Gibbon <26.0.00 - SSRF/RCE

Title source: llm

Description

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

Exploits (1)

exploitdb WORKING POC

by Ali Maharramli_Fikrat Guliev_Islam Rzayev · textwebappsphp

https://www.exploit-db.com/exploits/51962

View Code ZIP pw:eip

References (2)

[Product] https://gibbonedu.org/download/

[Exploit] https://packetstormsecurity.com/files/177857

Scores

CVSS v3 9.8

EPSS 0.4499

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1336

Status published

Products (1)

gibbonedu/gibbon < 26.0.00

Published Apr 03, 2024

Tracked Since Feb 18, 2026