CVE-2024-34909 - Vulnerability Details - OpenCVE

An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Kykms	Kykms

Configuration 1 [-]

cpe:2.3:a:kykms:kykms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-05-15T19:26:33.785Z

Updated: 2025-02-13T15:53:30.589Z

Reserved: 2024-05-09T00:00:00.000Z

Link: CVE-2024-34909

Vulnrichment

Updated: 2024-08-02T02:59:22.608Z

NVD

Status : Modified

Published: 2024-05-15T20:15:13.570

Modified: 2024-11-21T09:19:31.770

Link: CVE-2024-34909

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-34909", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-13T15:53:30.589Z", "datePublished": "2024-05-15T19:26:33.785Z", "dateReserved": "2024-05-09T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-15T19:26:34.102Z"}, "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34909", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T15:58:18.337511Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kykms:kykms:1.01:*:*:*:*:*:*:*"], "vendor": "kykms", "product": "kykms", "versions": [{"status": "affected", "version": "1.0.1*", "versionType": "custom", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:24.100Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.608Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.608Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34909", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T15:58:18.337511Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kykms:kykms:1.01:*:*:*:*:*:*:*"], "vendor": "kykms", "product": "kykms", "versions": [{"status": "affected", "version": "1.0.1*", "versionType": "custom", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-16T16:01:39.510Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability"}], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-15T19:26:34.102Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34909", "state": "PUBLISHED", "dateUpdated": "2025-02-13T15:53:30.589Z", "dateReserved": "2024-05-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-15T19:26:33.785Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kykms:kykms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B99783E-AA73-4E2C-9E8B-79F4C5B8BC4B", "versionEndIncluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in KYKMS v1.0.1 and below allows attackers to execute arbitrary code via uploading a crafted PDF file."}, {"lang": "es", "value": "Una vulnerabilidad de carga de archivos arbitraria en KYKMS v1.0.1 y versiones anteriores permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo PDF manipulado."}], "id": "CVE-2024-34909", "lastModified": "2024-11-21T09:19:31.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-15T20:15:13.570", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Joying-C/Cross-site-scripting-vulnerability/tree/main/KYKMS_Cross_site%20_scripting%20_vulnerability"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}