CRITICAL🇵🇱 Wersja polska

CVE-2024-39914

CVSS 9.8v3.1pub. 2024-07-12upd. 2025-09-29

FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34.

🤖 AI Analysis
How it works

The vulnerability is located in the file packages/web/lib/fog/reportmaker.class.php and is triggered via the filename parameter passed to the /fog/management/export.php endpoint. Lack of proper validation and sanitization of this parameter allows injection of arbitrary system commands (command injection, CWE-77), which are then executed by the server with the permissions of the web process.

Impact

An attacker can take full control of the server — gain access to sensitive data, modify system data, or cause service unavailability (complete CIA triad: confidentiality, integrity, availability at HIGH level according to CVSS).

Mitigation & patch

FOGProject must be immediately updated to version 1.5.10.34 or newer, in which the vulnerability has been fixed. The patch is available in the project's GitHub repository (commit 2413bc034753c32799785e9bf08164ccd0a2759f).

Who is affected

FOGProject in versions earlier than 1.5.10.34

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fogproject

    APP
    Fogproject
    < 1.5.10.41
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-58443CRITICAL9.9PL ✓ten sam produkt

FOG Project – pomijanie uwierzytelnienia umożliwia zrzut bazy danych

CVE-2024-42348CRITICAL9.3PL ✓ten sam produkt

FOG Server — wyciek danych uwierzytelniających Active Directory przy rejestracji komputera

CVE-2024-40645HIGH8.8ten sam produkt

FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload featur...

CVE-2024-41108HIGH7.5ten sam produkt

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has miss...

CVE-2024-34477HIGH7.8ten sam produkt

configureNFS in lib/common/functions.sh in FOG through 1.5.10 allows local users to gain privileges by mountin...