Refine your search
1 vulnerability found for Loomio by Loomio
CVE-2024-1297 (GCVE-0-2024-1297)
Vulnerability from cvelistv5
Published
2024-02-19 23:41
Modified
2026-04-20 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Loomio version 2.22.0 allows executing arbitrary commands on the server.
This is possible because the application is vulnerable to OS Command Injection.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/loomio/loomio"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/stones"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:loomio:loomio:2.22.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loomio",
"vendor": "loomio",
"versions": [
{
"status": "affected",
"version": "2.22.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1297",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T19:46:03.187612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:46:53.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Loomio",
"vendor": "Loomio",
"versions": [
{
"status": "affected",
"version": "2.22.0"
}
]
}
],
"datePublic": "2024-02-19T23:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eLoomio version 2.22.0 allows executing arbitrary commands on the server.\u003c/div\u003e\u003cdiv\u003eThis is possible because the application is vulnerable to OS Command Injection.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Loomio version 2.22.0 allows executing arbitrary commands on the server.\n\nThis is possible because the application is vulnerable to OS Command Injection."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:00:52.781Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/loomio/loomio"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/stones"
},
{
"tags": [
"patch"
],
"url": "https://github.com/loomio/loomio/commit/6bc5429bfb5a9c7c811a4487d97ea54a8b23a0fa#diff-b9a7e6b3dfb0fd855c11198a7c53e6f6f90945f28c78cc5dbd960d04d5d28203"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Loomio 2.22.0 - Code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1297",
"datePublished": "2024-02-19T23:41:47.207Z",
"dateReserved": "2024-02-06T21:45:03.994Z",
"dateUpdated": "2026-04-20T14:00:52.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}