Search criteria
6 vulnerabilities found for DumbDrop by DumbWareio
CVE-2025-47929 (GCVE-0-2025-47929)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:11 – Updated: 2025-05-28 19:55
VLAI?
Title
DumbDrop vulnerable to DOM XSS via file upload
Summary
DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. A user could be tricked into uploading a file with a malicious payload. Commit db27b25372eb9071e63583d8faed2111a2b79f1b fixes the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
< db27b25372eb9071e63583d8faed2111a2b79f1b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T20:27:28.715894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T19:55:21.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "\u003c db27b25372eb9071e63583d8faed2111a2b79f1b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. A user could be tricked into uploading a file with a malicious payload. Commit db27b25372eb9071e63583d8faed2111a2b79f1b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:11:55.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-gj32-5mgw-2w27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-gj32-5mgw-2w27"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/db27b25372eb9071e63583d8faed2111a2b79f1b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/db27b25372eb9071e63583d8faed2111a2b79f1b"
}
],
"source": {
"advisory": "GHSA-gj32-5mgw-2w27",
"discovery": "UNKNOWN"
},
"title": "DumbDrop vulnerable to DOM XSS via file upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47929",
"datePublished": "2025-05-15T20:11:55.892Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-28T19:55:21.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24971 (GCVE-0-2025-24971)
Vulnerability from cvelistv5 – Published: 2025-02-04 18:53 – Updated: 2025-02-04 19:57
VLAI?
Title
OS Command Injection endpoint '/upload/init' parameter 'filename' (RCE) in DumpDrop
Summary
DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
< 4ff8469d
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24971",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:57:11.074479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T19:57:20.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "\u003c 4ff8469d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:53:30.287Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63"
}
],
"source": {
"advisory": "GHSA-rx8m-jqm7-vcgp",
"discovery": "UNKNOWN"
},
"title": "OS Command Injection endpoint \u0027/upload/init\u0027 parameter \u0027filename\u0027 (RCE) in DumpDrop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24971",
"datePublished": "2025-02-04T18:53:30.287Z",
"dateReserved": "2025-01-29T15:18:03.210Z",
"dateUpdated": "2025-02-04T19:57:20.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24891 (GCVE-0-2025-24891)
Vulnerability from cvelistv5 – Published: 2025-01-31 23:02 – Updated: 2025-02-12 20:51
VLAI?
Title
Dumb Drop has an arbitrary file overwrite and path traversal for root shell
Summary
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
Severity ?
9.7 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
= sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T15:48:57.611923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:22.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "= sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it\u0027s possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T23:02:19.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d"
}
],
"source": {
"advisory": "GHSA-24f2-fv38-3274",
"discovery": "UNKNOWN"
},
"title": "Dumb Drop has an arbitrary file overwrite and path traversal for root shell"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24891",
"datePublished": "2025-01-31T23:02:19.734Z",
"dateReserved": "2025-01-27T15:32:29.450Z",
"dateUpdated": "2025-02-12T20:51:22.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47929 (GCVE-0-2025-47929)
Vulnerability from nvd – Published: 2025-05-15 20:11 – Updated: 2025-05-28 19:55
VLAI?
Title
DumbDrop vulnerable to DOM XSS via file upload
Summary
DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. A user could be tricked into uploading a file with a malicious payload. Commit db27b25372eb9071e63583d8faed2111a2b79f1b fixes the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
< db27b25372eb9071e63583d8faed2111a2b79f1b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T20:27:28.715894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T19:55:21.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "\u003c db27b25372eb9071e63583d8faed2111a2b79f1b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. A user could be tricked into uploading a file with a malicious payload. Commit db27b25372eb9071e63583d8faed2111a2b79f1b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:11:55.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-gj32-5mgw-2w27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-gj32-5mgw-2w27"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/db27b25372eb9071e63583d8faed2111a2b79f1b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/db27b25372eb9071e63583d8faed2111a2b79f1b"
}
],
"source": {
"advisory": "GHSA-gj32-5mgw-2w27",
"discovery": "UNKNOWN"
},
"title": "DumbDrop vulnerable to DOM XSS via file upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47929",
"datePublished": "2025-05-15T20:11:55.892Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-05-28T19:55:21.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24971 (GCVE-0-2025-24971)
Vulnerability from nvd – Published: 2025-02-04 18:53 – Updated: 2025-02-04 19:57
VLAI?
Title
OS Command Injection endpoint '/upload/init' parameter 'filename' (RCE) in DumpDrop
Summary
DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
< 4ff8469d
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24971",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:57:11.074479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T19:57:20.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "\u003c 4ff8469d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DumpDrop is a stupid simple file upload application that provides an interface for dragging and dropping files. An OS Command Injection vulnerability was discovered in the DumbDrop application, `/upload/init` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely when the **Apprise Notification** enabled. This issue has been addressed in commit `4ff8469d` and all users are advised to patch. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:53:30.287Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-rx8m-jqm7-vcgp"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/4ff8469d69019d200046a67d326f51703bc4da63"
}
],
"source": {
"advisory": "GHSA-rx8m-jqm7-vcgp",
"discovery": "UNKNOWN"
},
"title": "OS Command Injection endpoint \u0027/upload/init\u0027 parameter \u0027filename\u0027 (RCE) in DumpDrop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24971",
"datePublished": "2025-02-04T18:53:30.287Z",
"dateReserved": "2025-01-29T15:18:03.210Z",
"dateUpdated": "2025-02-04T19:57:20.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24891 (GCVE-0-2025-24891)
Vulnerability from nvd – Published: 2025-01-31 23:02 – Updated: 2025-02-12 20:51
VLAI?
Title
Dumb Drop has an arbitrary file overwrite and path traversal for root shell
Summary
Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
Severity ?
9.7 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DumbWareio | DumbDrop |
Affected:
= sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T15:48:57.611923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:22.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DumbDrop",
"vendor": "DumbWareio",
"versions": [
{
"status": "affected",
"version": "= sha256:bd110df9fcab4fb9c384c245345b7dd34e52d2cabc3cda9bfbbbc5ffb0606d97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it\u0027s possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T23:02:19.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/DumbWareio/DumbDrop/security/advisories/GHSA-24f2-fv38-3274"
},
{
"name": "https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DumbWareio/DumbDrop/commit/cb586316648ccbfb21d27b84e90d72ccead9819d"
}
],
"source": {
"advisory": "GHSA-24f2-fv38-3274",
"discovery": "UNKNOWN"
},
"title": "Dumb Drop has an arbitrary file overwrite and path traversal for root shell"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24891",
"datePublished": "2025-01-31T23:02:19.734Z",
"dateReserved": "2025-01-27T15:32:29.450Z",
"dateUpdated": "2025-02-12T20:51:22.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}