How severe is CVE-2024-1540?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.6 out of 10.

What type of vulnerability is CVE-2024-1540?

This is classified as CWE-77, which is a common weakness in software security.

CVE-2024-1540 - HIGH Severity | CVSS 8.6

Vulnerability Description

A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.

Related Vulnerabilities

CVE-2024-35340

HIGH

CVSS:8.6(High)

Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the cmdinput parameter at ip/goform/formexeCommand.

CWE-772024

CVE-2024-42348

HIGH

CVSS:8.6(High)

FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in 1.5.10.41.3 and ...

CWE-772024

CVE-2025-29230

HIGH

CVSS:8.6(High)

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.emailReg function. The vulnerability can be triggered via the `pt["email"]` parameter.

CWE-772025

CVE-2015-5003

HIGH

CVSS:8.5(High)

The portal in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 before FP7 allows remote authenticated users to execute arbitrary commands by leveraging Take Action view auth...

CWE-772015

CVE-2019-11278

HIGH

CVSS:8.7(High)

CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information th...

CWE-772019

CVE-2019-11279

HIGH

CVSS:8.7(High)

CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any s...

CWE-772019