Description

A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. NOTE: this is not part of any NGINX software shipped by F5.

Related CPE's

a

jc21

nginx_proxy_manager

2.11.3

Vulnerable

References

https://github.com/NginxProxyManager/nginx-proxy-manager/blob/v2.11.3/backend/internal/certificate.js#L870

Product

https://github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc466

Product

https://github.com/NginxProxyManager/nginx-proxy-manager/pull/4073/commits/c39d5433bcd13993def222bbb2b6988bbb810a05

Patch

https://github.com/barttran2k/POC_CVE-2024-46256

Exploit

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-89

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2024-09-27T16:15:05.870Z

1 year ago

Last modified

2025-06-03T09:55:19.547Z

7 months ago