CVE-2024-28335

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lektor
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
Common Weakness Enumeration
References
https://brave.com/privacy-updates/27-localhost-permission/
https://cxsecurity.com/issue/WLB-2024030043
https://getlektor.com/docs/quickstart
https://github.com/lektor/lektor/pull/1179/commits/8f38b9713d152622b69ff5e3b1e6a0d7bb7fa800
https://github.com/lektor/lektor/releases/tag/v3.3.11
https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html
https://brave.com/privacy-updates/27-localhost-permission/
https://cxsecurity.com/issue/WLB-2024030043
https://getlektor.com/docs/quickstart
https://github.com/lektor/lektor/pull/1179/commits/8f38b9713d152622b69ff5e3b1e6a0d7bb7fa800
https://github.com/lektor/lektor/releases/tag/v3.3.11
https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html