Home > Vulnerability Database > CVE-2024-27448

Mend.io Vulnerability Database

CVE-2024-27448

Date: April 4, 2024

MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file.

Language: JS

Severity Score

9.1

Related Resources (8)

Url: https://github.com/Tim-Hoekstra/MailDev-2.1.0-Exploit-RCE

Url: https://intrix.com.au/articles/exposing-major-security-flaw-in-maildev

Url: https://github.com/maildev/maildev

Url: https://github.com/maildev/maildev/releases

Url: https://github.com/maildev/maildev/issues/467

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27448

Url: https://gist.github.com/stypr/fe2003f00959f7e3d92ab9d5260433f8

Url: https://www.mend.io/vulnerability-database/CVE-2024-27448

Severity Score

9.1

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27448

Date: April 4, 2024

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?