Angular-base64-update Demo Script Exploited (CVE-2024-42640), (Tue, Oct 15th)

This post was originally published on this site

Demo scripts left behind after installing applications or frameworks are an ongoing problem. After installation, removing any "demo" or "example" folders is usually best. A few days ago, Ravindu Wickramasinghe noticed that the Angular-base64-upload project is leaving behind a demo folder with a script allowing arbitrary file uploads without authentication [1]. Exploitation of the vulnerability is trivial. An attacker may use the file upload script to upload a web shell, and in response, the attacker will obtain remote command execution with all the privileges granted to the web server.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.