CVE-2024-7928

Published Aug 19, 2024

Last updated a year ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-7928 is an unauthenticated path traversal vulnerability found in FastAdmin versions up to 1.3.3.20220121. This flaw allows remote attackers to access unauthorized files by manipulating the `lang` parameter within the `/index/ajax/lang` endpoint. By crafting malicious requests with directory traversal sequences, an attacker can escape the intended directory structure and read sensitive files from the server. This vulnerability, categorized as CWE-22 (Path Traversal), can lead to the exposure of confidential information such as configuration files, database credentials, and API keys. A proof of concept (PoC) for exploiting CVE-2024-7928 is publicly available. To mitigate this issue, users are strongly advised to update their FastAdmin installations to version 1.3.4.20220530 or later.

Description: A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
Source: cna@vuldb.com
NVD status: Analyzed
Products: fastadmin

Risk scores

CVSS 4.0

Type: Secondary
Base score: 5.3
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: MEDIUM

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

CVSS 2.0

Type: Secondary
Base score: 4
Impact score: 2.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:N/A:N

Weaknesses

cna@vuldb.com: CWE-22

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 9

CVE-2024-7928 🔥 is still alive!, fofa: app="FASTADMIN-框架" No Login Required! Full Credentials exposed leading to database takeover. #bugbountytips #bugbountytip #BugBounty #ethicalhacking https://t.co/w5B5ywlRWV
@0x0smilex
13 Feb 2026
4909 Impressions
20 Retweets
116 Likes
78 Bookmarks
2 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fastadmin:fastadmin:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "465E1E63-817A-4154-8E63-9DC5AD886BF5",
            "versionEndExcluding": "1.3.4.20220530"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.