CVE-2024-50497 is a PHP Local File Inclusion (LFI) vulnerability found in the wdesco Advanced Online Ordering and Delivery Platform versions up to and including 2.0.0. The vulnerability arises from improper control over the filename used in PHP include or require statements, allowing an attacker to manipulate the input parameter that determines which file is included. This can lead to the inclusion and execution of arbitrary files on the server, potentially exposing sensitive information such as configuration files, source code, or user data. In some cases, LFI can be leveraged to achieve remote code execution if combined with other vulnerabilities or if the attacker can upload malicious files. The vulnerability is classified as a Local File Inclusion rather than Remote File Inclusion, indicating that the attacker can include files already present on the server rather than fetching remote files. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability affects all versions up to 2.0.0 of the platform, which is used for online ordering and delivery services, typically in e-commerce environments. The root cause is insufficient input validation and lack of proper sanitization or whitelisting of file paths in the PHP codebase. This flaw can be exploited remotely by unauthenticated attackers if the vulnerable parameter is exposed in web requests. The vulnerability was published on October 28, 2024, and was reserved on October 24, 2024, by Patchstack. No patches or fixes have been linked yet, indicating that mitigation may require vendor updates or manual code review and hardening.

The impact of CVE-2024-50497 on organizations worldwide can be severe. Successful exploitation allows attackers to read sensitive files on the server, such as configuration files containing database credentials, user data, or application source code. This can lead to data breaches, loss of confidentiality, and potential exposure of personally identifiable information (PII). Additionally, attackers may leverage the LFI vulnerability to execute arbitrary code or escalate privileges if combined with other vulnerabilities or misconfigurations, resulting in full system compromise. For businesses relying on the affected platform for online ordering and delivery, this could disrupt services, damage reputation, and cause financial losses. The vulnerability can also be used as a foothold for further attacks within the network, increasing the overall risk. Since the platform is web-facing and often integrated with payment and customer data systems, the risk extends to customer trust and regulatory compliance. The absence of authentication requirements and the ease of exploitation amplify the threat, making it attractive for attackers targeting e-commerce and delivery services globally.

To mitigate CVE-2024-50497, organizations should take the following specific actions: 1) Monitor the vendor’s official channels for patches or updates addressing this vulnerability and apply them promptly once available. 2) Conduct a thorough code review of the PHP include/require statements in the affected platform to ensure strict validation and sanitization of any user-controlled input parameters. Implement whitelisting of allowed file paths and disallow dynamic file inclusion based on untrusted input. 3) Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, such as suspicious file path traversal patterns. 4) Restrict file system permissions on the server to limit access to sensitive files and directories, minimizing the impact if an attacker gains file inclusion capabilities. 5) Use PHP configuration settings to disable dangerous functions or limit include paths (e.g., disable allow_url_include, set open_basedir restrictions). 6) Implement comprehensive logging and alerting for unusual web requests that attempt to manipulate file inclusion parameters. 7) Educate development and security teams on secure coding practices to prevent similar vulnerabilities in future releases. 8) Consider isolating the affected platform in a segmented network zone to reduce lateral movement risks if exploited.