CVE-2024-28335
📋 TL;DR
Lektor CMS versions before 3.3.11 have a path traversal vulnerability that allows remote code execution. Attackers can exploit this by tricking users into visiting malicious websites that send requests to the local Lektor server on port 5000. This affects developers and content creators running Lektor's development server locally.
💻 Affected Systems
- Lektor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary command execution on the host running Lektor server, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local file system access and limited command execution on the developer's workstation, potentially stealing source code, credentials, or sensitive project files.
If Mitigated
No impact if Lektor server is not running or is properly firewalled from browser requests.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious site) but no authentication to Lektor server. Proof of concept available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.11
Vendor Advisory: https://github.com/lektor/lektor/releases/tag/v3.3.11
Restart Required: Yes
Instructions:
1. Stop Lektor server. 2. Run: pip install --upgrade lektor==3.3.11 3. Restart Lektor server.
🔧 Temporary Workarounds
Disable Lektor Server
allStop using 'lektor server' command during development
kill $(lsof -t -i:5000)
pkill -f 'lektor server'
Block Localhost Port 5000
linuxUse firewall to block browser access to localhost:5000
sudo ufw deny 5000
sudo iptables -A INPUT -p tcp --dport 5000 -j DROP
🧯 If You Can't Patch
- Run Lektor server in isolated container/virtual machine
- Use browser extensions that block localhost requests from web pages
🔍 How to Verify
Check if Vulnerable:
Check if Lektor server is running on port 5000 and version is below 3.3.11Check Version:
lektor --versionVerify Fix Applied:
Confirm lektor --version shows 3.3.11 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in Lektor server logs
- Requests to template files with path traversal sequences
Network Indicators:
- HTTP requests to localhost:5000 from browser processes
- Unusual outbound connections from Lektor process
SIEM Query:
process_name:"lektor" AND (destination_port:5000 OR command_line:"server")🔗 References
- https://brave.com/privacy-updates/27-localhost-permission/
- https://cxsecurity.com/issue/WLB-2024030043
- https://getlektor.com/docs/quickstart
- https://github.com/lektor/lektor/pull/1179/commits/8f38b9713d152622b69ff5e3b1e6a0d7bb7fa800
- https://github.com/lektor/lektor/releases/tag/v3.3.11
- https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html
- https://brave.com/privacy-updates/27-localhost-permission/
- https://cxsecurity.com/issue/WLB-2024030043
- https://getlektor.com/docs/quickstart
- https://github.com/lektor/lektor/pull/1179/commits/8f38b9713d152622b69ff5e3b1e6a0d7bb7fa800
- https://github.com/lektor/lektor/releases/tag/v3.3.11
- https://packetstormsecurity.com/files/177708/Lektor-Static-CMS-3.3.10-Arbitrary-File-Upload-Remote-Code-Execution.html
