Loomio 2.22.1 - Code injection
7,2
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Loomio 2.4.1 - Code injection
Code name
State
Public
Release date
29 feb 2024
Affected product
Loomio
Affected version(s)
Version 2.22.1
Vulnerability name
OS Command Injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
7.2
Exploit available
Yes
CVE ID(s)
Description
Loomio version 2.22.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection.
Vulnerability
A command injection vulnerability has been identified in Loomio that allows an attacker to obtain RCE on the server. This was made possible by sending a malicious url to the server.
Exploit
A malicious URL is sent to the server.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-1297 to refer to this issue from now on.
System Information
Version: Loomio 2.22.1
Operating System: MacOS
Mitigation
An updated version of Loomio is available at the vendor page.
References
Timeline
IA generativa
12 feb 2024
Vendor Confirmed Vuln.
25 feb 2024
Vulnerability patched
25 feb 2024
Vendor contacted
12 feb 2024
Vendor replied
19 feb 2024
Public disclosure
29 feb 2024
