CVE-2024-28386: An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute arbitrary code via the getPhpBin() component.
9.8
CVSS
Description
An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute arbitrary code via the getPhpBin() component.
Classification
CVE ID: CVE-2024-28386
CVSS Base Severity: CRITICAL
CVSS Base Score: 9.8
Affected Products
Vendor: n/a
Product: n/a
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.47% (probability of being exploited)
EPSS Percentile: 63.11% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2024-28386http://fastmagsync.com
http://home-madeio.com
https://reference1.example.com/modules/fastmagsync/crons/cron_mutualise_job_queue.php?hosting=.%20%26%20%20echo%20%27%3C%3Fphp%20echo%20%2242ovh%22%3B%27%20%3E%20a.php%3B%23&syncway=tofastmag
https://www.home-made.io/module-fastmag-sync-prestashop/
https://security.friendsofpresta.org/modules/2024/03/19/fastmagsync.html