{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.858Z", "datePublished": "2024-03-11T19:54:05.452Z", "dateUpdated": "2024-08-27T19:50:44.302Z"}, "containers": {"cna": {"title": "OS Command Injection Vulnerability in SOY CMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}, {"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}], "affected": [{"vendor": "inunosinsi", "product": "soycms", "versions": [{"version": "< 3.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:54:05.452Z"}, "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-qg3q-hfgc-5jmm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.458Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}, {"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}]}, {"affected": [{"vendor": "soycms_project", "product": "soycms", "cpes": ["cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.14.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-27T19:49:03.978807Z", "id": "CVE-2024-28187", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T19:50:44.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.458Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-27T19:49:03.978807Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"], "vendor": "soycms_project", "product": "soycms", "versions": [{"status": "affected", "version": "0", "lessThan": "3.14.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T19:50:39.298Z"}}], "cna": {"title": "OS Command Injection Vulnerability in SOY CMS", "source": {"advisory": "GHSA-qg3q-hfgc-5jmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "inunosinsi", "product": "soycms", "versions": [{"status": "affected", "version": "< 3.14.2"}]}], "references": [{"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:54:05.452Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28187", "state": "PUBLISHED", "dateUpdated": "2024-08-27T19:50:44.302Z", "dateReserved": "2024-03-06T17:35:00.858Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-11T19:54:05.452Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "SOY CMS es un CMS (sistema de gesti\u00f3n de contenidos) de c\u00f3digo abierto que le permite crear blogs y tiendas en l\u00ednea. Las versiones de SOY CMS anteriores a la 3.14.2 son afectados por una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo dentro de la funci\u00f3n de carga de archivos cuando un administrador accede a ella. La vulnerabilidad permite la ejecuci\u00f3n de comandos arbitrarios del sistema operativo a trav\u00e9s de nombres de archivos especialmente manipulados que contienen un punto y coma, lo que afecta la funcionalidad jpegoptim. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 3.14.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-28187", "lastModified": "2024-03-12T12:40:13.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-11T20:15:07.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}, {"source": "security-advisories@github.com", "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}