CVE-2024-53615: 
JavaScript vulnerability analysis and mitigation

A command injection vulnerability exists in the video thumbnail rendering component of Karl Ward's files.gallery versions 0.3.0 through 0.11.0. This vulnerability allows remote attackers to execute arbitrary code via a crafted video file (NVD, GitHub POC). The vulnerability was disclosed on January 30, 2025.

The vulnerability exists in the video thumbnail generation functionality where user-controlled input ($this->path) is directly used in a command without proper sanitization. The vulnerable code executes ffmpeg commands to generate video previews. An attacker can craft a malicious file with a filename containing bash command substitution, which gets executed when the application processes the video thumbnail. The exploit requires ffmpeg to be in the PATH, PHP exec function to be enabled, and the 'allow_upload' configuration option to be set to true (GitHub POC). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) by CISA-ADP (NVD).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system. This can lead to unauthorized access, data theft, and potential system compromise. The attacker can execute shell commands, though possibilities are limited due to filename length constraints (GitHub POC).

No official patch information is currently available. As temporary mitigation measures, administrators should consider disabling file uploads by setting 'allow_upload' to false in config.php, disabling PHP exec function, or implementing strict input validation for uploaded filenames (GitHub POC).