CRITICAL🇵🇱 Wersja polska

CVE-2024-39171

CVSS 9.8v3.1pub. 2024-07-09upd. 2026-07-05

Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.

🤖 AI Analysis
How it works

The vulnerability results from incomplete implementation of the file extension blacklist mechanism and insufficient path directory verification. An attacker can exploit the path traversal flaw to write specially crafted directives to the .htaccess file, thereby modifying the web server configuration. Subsequently, by writing malicious code to a file with a .png extension (which is treated as safe), the attacker causes the server to execute this code.

Impact

An attacker gains the ability to execute arbitrary code remotely (RCE) on the server, which may result in complete system takeover, data theft, and violation of application integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. It is also recommended to monitor and restrict write permissions to application directories and verify the integrity of .htaccess files on the server.

Who is affected

PHPVibe version 11.0.46

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phpvibe

    APP
    Phpvibe
    11.0.3 – 11.0.46
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-6083MEDIUM5.3ten sam produkt

A vulnerability, which was classified as critical, was found in PHPVibe 11.0.46. Affected is an unknown functi...

CVE-2024-6082MEDIUM5.1ten sam produkt

A vulnerability, which was classified as problematic, has been found in PHPVibe 11.0.46. This issue affects so...

CVE-2015-5399MEDIUM5.4ten sam produkt

Cross-site scripting (XSS) vulnerability in PHPVibe before 4.21 allows remote authenticated users to inject ar...