CVE-2024-40400: Automad arbitrary file upload vulnerability

July 19, 2024 (updated November 18, 2024)

An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.

The malicious file has to be prepared and uploaded manually by the admin. Usually there is only one admin per site and that is the owner.

References

github.com/advisories/GHSA-47mc-qmh2-mqj4
github.com/marcantondahmen/automad
github.com/marcantondahmen/automad/commit/112f070ccf423931c9bb2b36f9a26c345e1ef56e
github.com/marcantondahmen/automad/issues/106
nvd.nist.gov/vuln/detail/CVE-2024-40400

Code Behaviors & Features

Detect and mitigate CVE-2024-40400 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →