CVE-2024-21575

CRITICAL Year: 2024
CVSS v3 Score
8.6
High
Weakness Type
CWE-35
View all →

Vulnerability Description

ComfyUI-Impact-Pack is vulnerable to Path Traversal. The issue stems from missing validation of the `image.filename` field in a POST request sent to the `/upload/temp` endpoint added by the extension to the server. This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE).

Related Vulnerabilities

CVE-2024-49249

HIGH
CVSS:8.6(High)

Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3.

CWE-352024

CVE-2024-52447

HIGH
CVSS:8.6(High)

Path Traversal: '.../...//' vulnerability in Corporate Zen Contact Page With Google Map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through 1.6.1.

CWE-352024

CVE-2024-56049

HIGH
CVSS:8.5(High)

Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.

CWE-352024

CVE-2024-56055

HIGH
CVSS:8.5(High)

Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.

CWE-352024

CVE-2023-46690

HIGH
CVSS:8.8(High)

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution.

CWE-352023

CVE-2023-5800

HIGH
CVSS:8.8(High)

Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw c...

CWE-352023