CVE-2024-28335
CRITICALLektor < 3.3.11 - Remote Code Execution via DB Path Traversal
Title source: llmDescription
Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.
References (6)
Core 6
Core References
Various Sources
https://getlektor.com/docs/quickstart
Various Sources
https://brave.com/privacy-updates/27-localhost-permission/
Exploit, Third Party Advisory
https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html
Issue Tracking
https://cxsecurity.com/issue/WLB-2024030043
Release Notes
https://github.com/lektor/lektor/releases/tag/v3.3.11
Scores
CVSS v3
9.1
EPSS
0.0039
EPSS Percentile
60.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
pypi/Lektor
0 - 3.3.11PyPI
Published
Mar 27, 2024
Tracked Since
Feb 18, 2026