CVE-2024-56828

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://gitee.com/liweiyi/ChestnutCMS", "name": "https://gitee.com/liweiyi/ChestnutCMS", "tags": ["Product"], "refsource": ""}, {"url": "https://github.com/Zerone0x00/CVE/blob/main/ChestnutCMS/CVE-2024-56828.md", "name": "https://github.com/Zerone0x00/CVE/blob/main/ChestnutCMS/CVE-2024-56828.md", "tags": ["Exploit", "Third Party Advisory"], "refsource": ""}, {"url": "https://www.1000mz.com/", "name": "https://www.1000mz.com/", "tags": ["Product"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "File Upload vulnerability in ChestnutCMS through 1.5.0. Based on the code analysis, it was determined that the /api/member/avatar API endpoint receives a base64 string as input. This string is then passed to the memberService.uploadAvatarByBase64 method for processing. Within the service, the base64-encoded image is parsed. For example, given a string like: data:image/html;base64,PGh0bWw+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPjwvaHRtbD4= the content after the comma is extracted and decoded using Base64.getDecoder().decode(). The substring from the 11th character up to the first occurrence of a semicolon (;) is assigned to the suffix variable (representing the file extension). The decoded content is then written to a file. However, the file extension is not validated, and since this functionality is exposed to the frontend, it poses significant security risks."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-56828", "ASSIGNER": "cve@mitre.org"}}, "impact": {}, "publishedDate": "2025-01-06T18:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:1000mz:chestnutcms:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.5.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-04-21T17:10Z"}