CVE-2024-9904

A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function pictureUpload of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.

CVSS v3 4.7 MEDIUM
CVSS v2.0 5.8 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:M/C:P/I:P/A:P

Exploitability : 6.4 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/DeepMountains/Mirage/blob/main/CVE19-2.md	Exploit Third Party Advisory
https://vuldb.com/?ctiid.280180	Permissions Required VDB Entry
https://vuldb.com/?id.280180	Third Party Advisory VDB Entry
https://vuldb.com/?submit.421686	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:07fly:07flycms::::::::
	cpe:2.3:a:07fly:customer_relationship_management::::::::

History

30 Jul 2025, 15:01

Type	Values Removed	Values Added
First Time		07fly 07flycms 07fly 07fly customer Relationship Management
CPE		cpe:2.3:a:07fly:07flycms:::::::: cpe:2.3:a:07fly:customer_relationship_management::::::::
References	~~() https://github.com/DeepMountains/Mirage/blob/main/CVE19-2.md -~~	() https://github.com/DeepMountains/Mirage/blob/main/CVE19-2.md - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.280180 -~~	() https://vuldb.com/?ctiid.280180 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.280180 -~~	() https://vuldb.com/?id.280180 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.421686 -~~	() https://vuldb.com/?submit.421686 - Third Party Advisory, VDB Entry

15 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una vulnerabilidad clasificada como crítica en 07FLYCMS, 07FLY-CMS y 07FlyCRM hasta la versión 1.2.0. Esta vulnerabilidad afecta a la función pictureUpload del archivo /admin/File/pictureUpload. La manipulación del archivo de argumentos permite la carga sin restricciones. El ataque puede iniciarse de forma remota. El exploit se ha hecho público y puede utilizarse. El producto afectado se conoce con diferentes nombres como 07FLYCMS, 07FLY-CMS y 07FlyCRM. No fue posible ponerse en contacto con el proveedor antes de asignar un CVE debido a que la dirección de correo electrónico no funcionaba.

13 Oct 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-13 02:15

Updated : 2025-07-30 15:01

NVD link : CVE-2024-9904

Mitre link : CVE-2024-9904

CVE.ORG link : CVE-2024-9904

JSON object : View

Products Affected

07fly

customer_relationship_management
07flycms

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

4.7 /10