- What is the severity of CVE-2024-24550?
- CVE-2024-24550 has been scored as a high severity vulnerability.
- How to fix CVE-2024-24550?
- To fix CVE-2024-24550: 1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX). 2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked. 3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). 4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access. 5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx: ``` location /upload_folder { # Disable PHP execution location ~ \.php$ { deny all; } # Allow other file types location /upload_folder/ { # Additional configurations for other file types if necessary } } ```
- Is CVE-2024-24550 being actively exploited in the wild?
- As for now, there are no information to confirm that CVE-2024-24550 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
- What software or system is affected by CVE-2024-24550?
- CVE-2024-24550 affects Bludit Bludit.