CVE-2024-28187 - Vulnerability Details - OpenCVE

SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Saitodev	Soy Cms

Configuration 1 [-]

cpe:2.3:a:saitodev:soy_cms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8
https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm

History

Thu, 10 Apr 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Saitodev Saitodev soy Cms
CPEs		cpe:2.3:a:saitodev:soy_cms::::::::
Vendors & Products		Saitodev Saitodev soy Cms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-11T19:54:05.452Z

Updated: 2024-08-27T19:50:44.302Z

Reserved: 2024-03-06T17:35:00.858Z

Link: CVE-2024-28187

Vulnrichment

Updated: 2024-08-02T00:48:49.458Z

NVD

Status : Analyzed

Published: 2024-03-11T20:15:07.180

Modified: 2025-04-10T19:18:04.037

Link: CVE-2024-28187

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28187", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.858Z", "datePublished": "2024-03-11T19:54:05.452Z", "dateUpdated": "2024-08-27T19:50:44.302Z"}, "containers": {"cna": {"title": "OS Command Injection Vulnerability in SOY CMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}, {"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}], "affected": [{"vendor": "inunosinsi", "product": "soycms", "versions": [{"version": "< 3.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:54:05.452Z"}, "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-qg3q-hfgc-5jmm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.458Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}, {"name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}]}, {"affected": [{"vendor": "soycms_project", "product": "soycms", "cpes": ["cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.14.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-27T19:49:03.978807Z", "id": "CVE-2024-28187", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T19:50:44.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.458Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-27T19:49:03.978807Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:soycms_project:soycms:*:*:*:*:*:*:*:*"], "vendor": "soycms_project", "product": "soycms", "versions": [{"status": "affected", "version": "0", "lessThan": "3.14.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T19:50:39.298Z"}}], "cna": {"title": "OS Command Injection Vulnerability in SOY CMS", "source": {"advisory": "GHSA-qg3q-hfgc-5jmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "inunosinsi", "product": "soycms", "versions": [{"status": "affected", "version": "< 3.14.2"}]}], "references": [{"url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "name": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "name": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-11T19:54:05.452Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28187", "state": "PUBLISHED", "dateUpdated": "2024-08-27T19:50:44.302Z", "dateReserved": "2024-03-06T17:35:00.858Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-11T19:54:05.452Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saitodev:soy_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "9ED8DA24-664C-4199-9620-6FC91C0F4156", "versionEndExcluding": "3.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality. This vulnerability has been patched in version 3.14.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "SOY CMS es un CMS (sistema de gesti\u00f3n de contenidos) de c\u00f3digo abierto que le permite crear blogs y tiendas en l\u00ednea. Las versiones de SOY CMS anteriores a la 3.14.2 son afectados por una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo dentro de la funci\u00f3n de carga de archivos cuando un administrador accede a ella. La vulnerabilidad permite la ejecuci\u00f3n de comandos arbitrarios del sistema operativo a trav\u00e9s de nombres de archivos especialmente manipulados que contienen un punto y coma, lo que afecta la funcionalidad jpegoptim. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 3.14.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-28187", "lastModified": "2025-04-10T19:18:04.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-11T20:15:07.180", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/inunosinsi/soycms/commit/9b0e452f628df28dec69cd72b6b55db21066cbf8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/inunosinsi/soycms/security/advisories/GHSA-qg3q-hfgc-5jmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}