CVE-2024-24724

Published: Apr 3, 2024Modified: Jul 17, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

Affected (1)

Products: Gibbonedu: Gibbon

Gibbonedu

1 product

Gibbon

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gibbonedu Gibbon	Up to 26.0.00

Related CWEs

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

References (4)

https://gibbonedu.org/download/

Source: cve@mitre.org

Product

https://packetstormsecurity.com/files/177857

Source: cve@mitre.org

Exploit

https://gibbonedu.org/download/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://packetstormsecurity.com/files/177857

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.