CRITICAL🇵🇱 Wersja polska

CVE-2024-48202

CVSS 9.8v3.1pub. 2024-10-30upd. 2025-04-18

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) consists of the lack of proper validation of the type and content of the uploaded file in the uploadFile method of the FileUtils.java class. An attacker can upload an executable file (e.g., webshell) without requiring authentication. After loading the malicious file on the server, it is possible to execute it and perform arbitrary commands in the application context.

Impact

An attacker can gain full control over the server — read, modify and delete data, as well as execute arbitrary system commands (RCE). Due to the lack of authentication requirements, the vulnerability is particularly dangerous in internet-exposed environments.

Mitigation & patch

Patches available from the vendor should be applied according to references. Until updates are deployed, it is recommended to restrict access to file upload functionality at the firewall or reverse proxy level and monitor the upload directory for suspicious executable files.

Who is affected

Thecosy IceCMS in versions 3.4.7 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Thecosy Icecms

    APP
    Thecosy
    ≤ 3.4.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-46612CRITICAL9.8PL ✓ten sam produkt

IceCMS: zakodowany na stałe klucz JWT umożliwia fałszowanie tokenów

CVE-2023-40833CRITICAL9.8ten sam produkt

An issue in Thecosy IceCMS v.1.0.0 allows a remote attacker to gain privileges via the Id and key parameters i...

CVE-2025-22984HIGH7.5ten sam produkt

An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthent...

CVE-2025-22983HIGH7.5ten sam produkt

An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated a...

CVE-2024-46607HIGH7.6ten sam produkt

Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrar...