S4E

CVE-2024-42640 Scanner

CVE-2024-42640 scanner - Remote Code Execution (RCE) vulnerability in Angular Base64 Upload

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

4 weeks

Scan only one

Domain, IPv4

Toolbox

-

Angular Base64 Upload is a library designed to simplify the process of uploading base64 encoded files in AngularJS applications. It is commonly used by developers integrating file upload functionalities into web applications. The library supports customizable and easy-to-implement file handling for modern web applications. While efficient for its purpose, it has been deprecated and no longer maintained. Developers in search of alternative upload solutions often rely on this library in legacy projects.

The CVE-2024-42640 vulnerability in Angular Base64 Upload allows an unauthenticated attacker to execute remote code on the server. The issue stems from a misconfigured demo server endpoint (server.php) that permits arbitrary content upload. Exploited successfully, it enables attackers to upload executable files and subsequently execute them. This critical flaw poses severe risks, especially in unsupported systems that still utilize the library.

The vulnerability lies in the demo/server.php endpoint, which accepts file uploads without authentication or validation. Attackers can send a base64-encoded payload alongside a crafted file name to this endpoint. Uploaded files are stored in the demo/uploads directory, where they remain executable by default. The lack of validation on file types and the absence of access restrictions further exacerbate the risk. Successful exploitation allows the attacker to execute PHP scripts, gaining complete control over the server.

Possible Effects:

  • Full server compromise due to unauthorized remote code execution.
  • Deployment of malware or backdoors on the server.
  • Extraction of sensitive data from the compromised server.
  • Possible pivoting to other parts of the network, escalating the attack scope.

With S4E, protect your digital assets from critical vulnerabilities like CVE-2024-42640. Gain peace of mind with proactive monitoring, automated scanning, and in-depth reports tailored to your organization's security needs. By becoming a member, you access a comprehensive cybersecurity toolkit that helps mitigate risks effectively. Stay ahead of potential threats and safeguard your systems with our easy-to-use platform.

References:

Get started to protecting your Free Full Security Scan