CVE-2024-28713

CRITICAL

Mtons Mblog - Unrestricted File Upload

Title source: rule

Description

An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature.

References (9)

Core 9

Core References

Product

http://mblog.com

Product

https://gitee.com/mtons/mblog

Exploit

https://github.com/JiangXiaoBaiJia/cve/blob/main/%E5%9B%BE%E7%89%871.png

View Exploit ZIP pw:eip

Exploit

https://github.com/JiangXiaoBaiJia/cve/blob/main/%E5%9B%BE%E7%89%872.png

View Exploit ZIP pw:eip

Exploit

https://github.com/JiangXiaoBaiJia/cve/blob/main/%E5%9B%BE%E7%89%873.png

View Exploit ZIP pw:eip

Exploit

https://github.com/JiangXiaoBaiJia/cve/blob/main/%E5%9B%BE%E7%89%874.png

Exploit

https://github.com/JiangXiaoBaiJia/cve/blob/main/%E5%9B%BE%E7%89%875.png

Exploit, Third Party Advisory

https://github.com/JiangXiaoBaiJia/cve/blob/main/Mblog%20blog%20system%20has%20SSTI%20template%20injection%20vulnerability.md

Exploit, Mitigation, Third Party Advisory

https://www.vicarius.io/vsociety/posts/ssti-in-mblog-351-a-tale-of-a-glorified-rce-cve-2024-28713-28714

Scores

CVSS v3 9.8

EPSS 0.0096

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

mtons/mblog 3.5.0

Published Mar 28, 2024

Tracked Since Feb 18, 2026