CVE-2024-35592
📋 TL;DR
An arbitrary file upload vulnerability in Box-IM v2.0 allows attackers to upload malicious PDF files that can execute arbitrary code on the server. This affects all users running the vulnerable version of Box-IM, potentially leading to complete system compromise.
💻 Affected Systems
- Box-IM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, or use as a pivot point into internal networks.
Likely Case
Webshell installation allowing persistent backdoor access and data exfiltration.
If Mitigated
Limited impact with proper file validation and execution restrictions in place.
🎯 Exploit Status
The vulnerability allows direct file upload without authentication, making exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider workarounds or alternative software.
🔧 Temporary Workarounds
Implement File Upload Restrictions
allConfigure web server to block PDF uploads or restrict upload directory execution permissions.
# For Apache: Add to .htaccess
<FilesMatch "\.(pdf)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~*\.pdf$ {
deny all;
}
Disable Upload Function
allTemporarily disable the upload functionality in Box-IM configuration.
# Edit Box-IM configuration to disable upload feature
# Configuration file location varies by installation
🧯 If You Can't Patch
- Implement strict file type validation and content inspection for all uploads
- Deploy WAF rules to block malicious file upload patterns
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a PDF file to the Box-IM upload endpoint and check if it's accepted without validation.Check Version:
# Check Box-IM version in web interface or configuration filesVerify Fix Applied:
Test that PDF uploads are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual PDF file uploads
- Multiple failed upload attempts
- Uploads with suspicious filenames
Network Indicators:
- POST requests to upload endpoints with PDF content
- Unusual outbound connections after upload
SIEM Query:
source="web_logs" AND (uri_path="/upload" OR uri_path="*upload*") AND (file_extension="pdf" OR content_type="application/pdf")🔗 References
- https://github.com/Joying-C/Cross-site-scripting-vulnerability/blob/main/BOX-IM_Cross_site%20_scripting%20_vulnerability/BOX-IM_Cross_site%20_scripting%20_vulnerability.pdf
- https://github.com/Joying-C/Cross-site-scripting-vulnerability/blob/main/BOX-IM_Cross_site%20_scripting%20_vulnerability/BOX-IM_Cross_site%20_scripting%20_vulnerability.pdf
