Home > Vulnerability Database > CVE-2024-28335

Mend.io Vulnerability Database

CVE-2024-28335

Good to know:

Date: March 27, 2024

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.

Language: Python

Severity Score

9.8

Related Resources (8)

Url: https://getlektor.com/docs/quickstart

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28335

Url: https://cxsecurity.com/issue/WLB-2024030043

Url: https://github.com/lektor/lektor/pull/1179/commits/8f38b9713d152622b69ff5e3b1e6a0d7bb7fa800

Url: https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html

Url: https://brave.com/privacy-updates/27-localhost-permission/

Url: https://github.com/lektor/lektor/releases/tag/v3.3.11

Url: https://www.mend.io/vulnerability-database/CVE-2024-28335

Severity Score

9.8

Top Fix

Upgrade Version

Upgrade to version Lektor - 3.3.11

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28335

Good to know:

Date: March 27, 2024

Language: Python

Severity Score

Related Resources (8)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?