CVE-2024-31666

CRITICAL

flusity-CMS 2.33 - Remote Code Execution via edit_addon_post.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-31666. PoCs published by hapa3.

AI-analyzed exploit summary The repository provides a technical writeup detailing an unauthorized access vulnerability in Flusity-CMS v2.33, where a low-privileged user (cs2) can execute functions reserved for administrators via the endpoint /cover/addons/jd_simple_zer/action/edit_addon_post.php. The analysis includes screenshots demonstrating the exploit's success.

Description

An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component.

Exploits (1)

nomisec WRITEUP
by hapa3 · poc
https://github.com/hapa3/CVE-2024-31666

The repository provides a technical writeup detailing an unauthorized access vulnerability in Flusity-CMS v2.33, where a low-privileged user (cs2) can execute functions reserved for administrators via the endpoint /cover/addons/jd_simple_zer/action/edit_addon_post.php. The analysis includes screenshots demonstrating the exploit's success.

Classification
Writeup 80%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Flusity-CMS v2.33
Auth required
Prerequisites: Access to a low-privileged user account (e.g., cs2) · Target running Flusity-CMS v2.33
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0171
EPSS Percentile 74.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-94
Status published
Products (1)
flusity/flusity 2.33
Published Apr 22, 2024
Tracked Since Feb 18, 2026