CVE-2024-29272

MEDIUM NUCLEI

VvvebJs < 1.7.5 - Arbitrary File Upload

Title source: nuclei

Description

Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.

Exploits (1)

nomisec WORKING POC

by awjkjflkwlekfdjs · poc

https://github.com/awjkjflkwlekfdjs/CVE-2024-29272

View Code ZIP pw:eip

Nuclei Templates (1)

VvvebJs < 1.7.5 - Arbitrary File Upload

MEDIUMVERIFIEDby s4e-io

FOFA: icon_hash="524332373"

References (2)

[Patch] https://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/givanz/VvvebJs/issues/343

Scores

CVSS v3 6.5

EPSS 0.8940

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-434

Status published

Products (2)

npm/vvvebJs 0 - 1.7.5npm

vvveb/vvvebjs < 1.7.5

Published Mar 22, 2024

Tracked Since Feb 18, 2026