CVE-2024-28698: 
C# vulnerability analysis and mitigation

A directory traversal vulnerability has been identified in Marimer LLC CSLA .Net versions prior to 8.0, specifically affecting the MobileFormatter component. The vulnerability, tracked as CVE-2024-28698, was discovered during a penetration test and allows remote attackers to execute arbitrary code via crafted scripts. The issue was disclosed to the CSLA project on August 23, 2023, and was finally patched with the release of CSLA 8.0 on April 3, 2024 (Intruder Research).

The vulnerability exists in the MobileFormatter component's type deserialization process. When processing user input, the GetTypeFromCache function calls LoadFromAssemblyPath without properly validating the input against path traversal. The function automatically appends '.dll' to the end of file paths, but this can be bypassed using null-byte injection techniques. This allows attackers to load arbitrary DLL files from the filesystem, including those uploaded through the application's file upload functionality (Intruder Research). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the affected system. This is particularly dangerous in applications that allow file uploads, as attackers can combine the path traversal vulnerability with uploaded malicious DLL files to achieve remote code execution with the privileges of the web application (Intruder Research).

The vulnerability has been fixed in CSLA.NET version 8.0. Organizations using affected versions should upgrade immediately to this version. If unable to upgrade, developers should manually implement path validation to ensure that loaded assemblies reside within the application directory. The fix involves checking that the DLL being loaded is within the intended application directory before allowing the load operation (GitHub PR).