Improper neutralization of directives in statically saved code (\'static code injection\') in Mongoose - CVE-2024-50672
Published: November 27, 2024 / Updated: June 23, 2025
Vulnerability identifier: #VU111838
CSH Severity: Medium
CVSS v4.0:
CVE-ID: CVE-2024-50672
CWE-ID: CWE-96
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cesanta Software Ltd.
Affected software:
Mongoose
Mongoose
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the 'Reset password' feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application.
How to mitigate CVE-2024-50672
Install update from vendor's repository.