CVE-2024-28187

HIGH

soy_cms < 3.14.2 - Authenticated OS Command Injection via File Upload Filename

Title source: llm

Description

SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm

Patch x_refsource_misc

https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8

View Patch ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0162

EPSS Percentile 72.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

saitodev/soy_cms < 3.14.2

Published Mar 11, 2024

Tracked Since Feb 18, 2026