Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-6946
CVE-2024-6946:
NixOS vulnerability analysis and mitigation
Overview
A critical code injection vulnerability was discovered in Flute CMS version 0.2.2.4-alpha. The vulnerability affects the /admin/pages/list file and was disclosed on July 21, 2024. This security flaw allows remote attackers to inject malicious code through the manipulation of the 'blocks' argument (NVD, VulDB).
Technical details
The vulnerability exists in the page content definition functionality where an attacker can insert PHP code within HTML objects. The application processes content sent to the server in JSON format using the PUT method, as analyzed in the 'app/Core/Admin/Http/Controllers/Views/PagesView.php' file. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, GitHub).
Impact
The vulnerability allows attackers with admin access to execute arbitrary PHP code on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).
Additional resources
Source: This report was generated using AI
Related NixOS vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management