CVE-2024-3187
MEDIUM EPSS 37.7%
Published Oct 17, 20241y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Oct 17, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability High
Threat Intelligence
EPSS Exploit Probability
37.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-415
CWE-416 Use After Free Memory Safety
References 1
- nozominetworks.com https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-3187
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.