CVE-2024-11239

A vulnerability has been found in Landray EKP up to 16.0 and classified as critical. This vulnerability affects the function deleteFile of the file /sys/common/import.do?method=deleteFile of the component API Interface. The manipulation of the argument folder leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
Link Resource
https://github.com/CoinIsMoney/TempGuide/blob/main/LL-exp-03.pdf Exploit
https://vuldb.com/?ctiid.284674 Permissions Required VDB Entry
https://vuldb.com/?id.284674 Permissions Required VDB Entry
https://vuldb.com/?submit.438784 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:landray:landray_ekp:*:*:*:*:*:*:*:*

History

19 Nov 2024, 19:00

Type Values Removed Values Added
CPE cpe:2.3:a:landray:landray_ekp:*:*:*:*:*:*:*:*
References () https://github.com/CoinIsMoney/TempGuide/blob/main/LL-exp-03.pdf - () https://github.com/CoinIsMoney/TempGuide/blob/main/LL-exp-03.pdf - Exploit
References () https://vuldb.com/?ctiid.284674 - () https://vuldb.com/?ctiid.284674 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.284674 - () https://vuldb.com/?id.284674 - Permissions Required, VDB Entry
References () https://vuldb.com/?submit.438784 - () https://vuldb.com/?submit.438784 - Third Party Advisory, VDB Entry
Summary
  • (es) Se ha encontrado una vulnerabilidad en Landray EKP hasta la versión 16.0 y se ha clasificado como crítica. Esta vulnerabilidad afecta a la función deleteFile del archivo /sys/common/import.do?method=deleteFile de la interfaz API del componente. La manipulación de la carpeta de argumentos provoca un path traversal. El ataque se puede iniciar de forma remota. El exploit se ha hecho público y puede utilizarse. Se contactó al proveedor con anticipación sobre esta revelación, pero no respondió de ninguna manera.
CVSS v2 : 5.5
v3 : 5.4
v2 : 5.5
v3 : 4.3
First Time Landray landray Ekp
Landray

15 Nov 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-15 14:15

Updated : 2024-11-19 19:00


NVD link : CVE-2024-11239

Mitre link : CVE-2024-11239

CVE.ORG link : CVE-2024-11239


JSON object : View

Products Affected

landray

  • landray_ekp
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')