CVE-2024-28147 - Vulnerability Details - OpenCVE

An authenticated user can upload arbitrary files in the upload
function for collection preview images. An attacker may upload an HTML
file that includes malicious JavaScript code which will be executed if a
user visits the direct URL of the collection preview image (Stored
Cross Site Scripting). It is also possible to upload SVG files that
include nested XML entities. Those are parsed when a user visits the
direct URL of the collection preview image, which may be utilized for a
Denial of Service attack.

This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0035.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Metaventis	Edu-sharing

No data.

No data.

No data.

Fixes

Solution

The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions: * Version 8.0: Update repository version to "8.0.8-RC2" or later * Version 8.1: Update repository version to "8.1.4-RC0" or later * Version 9.0: Update repository version to "9.0.0-RC19" or later

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jun/11
https://packetstormsecurity.com/files/179199
https://r.sec-consult.com/metaventis

History

Fri, 14 Feb 2025 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Metaventis Metaventis edu-sharing
CPEs		cpe:2.3:a:metaventis:edu-sharing::::::::
Vendors & Products		Metaventis Metaventis edu-sharing
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2024-06-20T10:46:41.223Z

Updated: 2025-02-13T17:47:16.964Z

Reserved: 2024-03-05T09:15:40.202Z

Link: CVE-2024-28147

Vulnrichment

Updated: 2024-08-02T00:48:49.046Z

NVD

Status : Awaiting Analysis

Published: 2024-06-20T11:15:55.913

Modified: 2024-11-21T09:05:53.770

Link: CVE-2024-28147

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-28147", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2024-03-05T09:15:40.202Z", "datePublished": "2024-06-20T10:46:41.223Z", "dateUpdated": "2025-02-13T17:47:16.964Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "edu-sharing", "vendor": "metaVentis GmbH", "versions": [{"status": "affected", "version": "<8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kai Zimmermann, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.</p><p>This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.</p>"}], "value": "An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.\n\nThis issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2024-06-24T04:06:02.487Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://r.sec-consult.com/metaventis"}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/11"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions:</p><ul><li>Version 8.0: Update repository version to \"8.0.8-RC2\" or later</li><li>Version 8.1: Update repository version to \"8.1.4-RC0\" or later</li><li>Version 9.0: Update repository version to \"9.0.0-RC19\" or later</li></ul><br>"}], "value": "The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions:\n\n * Version 8.0: Update repository version to \"8.0.8-RC2\" or later\n * Version 8.1: Update repository version to \"8.1.4-RC0\" or later\n * Version 9.0: Update repository version to \"9.0.0-RC19\" or later"}], "source": {"discovery": "UNKNOWN"}, "title": "Unrestricted Upload of Files in edu-sharing", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "metaventis", "product": "edu-sharing", "cpes": ["cpe:2.3:a:metaventis:edu-sharing:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "8.0.8-rc2", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "8.1.4-rc0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "9.0.0-rc19", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T20:36:12.469883Z", "id": "CVE-2024-28147", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:38:56.117Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.046Z"}, "references": [{"tags": ["third-party-advisory", "exploit", "technical-description"], "url": "https://packetstormsecurity.com/files/179199"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://r.sec-consult.com/metaventis"}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/11", "tags": ["x_transferred"]}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://packetstormsecurity.com/files/179199", "tags": ["third-party-advisory", "exploit", "technical-description"]}, {"url": "https://r.sec-consult.com/metaventis", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/11", "tags": ["x_transferred"]}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.046Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-28147", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-31T20:36:12.469883Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:metaventis:edu-sharing:*:*:*:*:*:*:*:*"], "vendor": "metaventis", "product": "edu-sharing", "versions": [{"status": "affected", "version": "0", "lessThan": "8.0.8-rc2", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "8.1.4-rc0", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "9.0.0-rc19", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:07:05.390Z"}}], "cna": {"title": "Unrestricted Upload of Files in edu-sharing", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kai Zimmermann, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "metaVentis GmbH", "product": "edu-sharing", "versions": [{"status": "affected", "version": "<8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19", "versionType": "custom"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions:\n\n * Version 8.0: Update repository version to \"8.0.8-RC2\" or later\n * Version 8.1: Update repository version to \"8.1.4-RC0\" or later\n * Version 9.0: Update repository version to \"9.0.0-RC19\" or later", "supportingMedia": [{"type": "text/html", "value": "<p>The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions:</p><ul><li>Version 8.0: Update repository version to \"8.0.8-RC2\" or later</li><li>Version 8.1: Update repository version to \"8.1.4-RC0\" or later</li><li>Version 9.0: Update repository version to \"9.0.0-RC19\" or later</li></ul><br>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/metaventis", "tags": ["third-party-advisory"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jun/11"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.\n\nThis issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.", "supportingMedia": [{"type": "text/html", "value": "<p>An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.</p><p>This issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2024-06-24T04:06:02.487Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28147", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:47:16.964Z", "dateReserved": "2024-03-05T09:15:40.202Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2024-06-20T10:46:41.223Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "An authenticated user can upload arbitrary files in the upload \nfunction for collection preview images. An attacker may upload an HTML \nfile that includes malicious JavaScript code which will be executed if a\n user visits the direct URL of the collection preview image (Stored \nCross Site Scripting). It is also possible to upload SVG files that \ninclude nested XML entities. Those are parsed when a user visits the \ndirect URL of the collection preview image, which may be utilized for a \nDenial of Service attack.\n\nThis issue affects edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19."}, {"lang": "es", "value": "Un usuario autenticado puede cargar archivos arbitrarios en la funci\u00f3n de carga para im\u00e1genes de vista previa de la colecci\u00f3n. Un atacante puede cargar un archivo HTML que incluya c\u00f3digo JavaScript malicioso que se ejecutar\u00e1 si un usuario visita la URL directa de la imagen de vista previa de la colecci\u00f3n (Stored Cross Site Scripting). Tambi\u00e9n es posible cargar archivos SVG que incluyan entidades XML anidadas. Estos se analizan cuando un usuario visita la URL directa de la imagen de vista previa de la colecci\u00f3n, que puede utilizarse para un ataque de denegaci\u00f3n de servicio. Este problema afecta a edu-sharing: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19."}], "id": "CVE-2024-28147", "lastModified": "2024-11-21T09:05:53.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-20T11:15:55.913", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "http://seclists.org/fulldisclosure/2024/Jun/11"}, {"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/metaventis"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jun/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://packetstormsecurity.com/files/179199"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://r.sec-consult.com/metaventis"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}