IDURAR is open source ERP CRM accounting invoicing software. The vulnerability exists in the corePublicRouter.js file. Using the reference usage here, it is identified that the public endpoint is accessible to an unauthenticated user. The user's input is directly appended to the join statement without additional checks. This allows an attacker to send URL encoded malicious payload. The directory structure can be escaped to read system files by adding an encoded string (payload) at subpath location.
References
Link | Resource |
---|---|
https://github.com/idurar/idurar-erp-crm/commit/949bc6fe31f3175c9e1864d30cf6c8110179ac14 | Patch |
https://github.com/idurar/idurar-erp-crm/security/advisories/GHSA-948g-2vm7-mfv7 | Exploit Vendor Advisory |
Configurations
History
13 Nov 2024, 15:12
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:idurarapp:idurar:*:*:*:*:*:*:*:* | |
First Time |
Idurarapp idurar
Idurarapp |
|
References | () https://github.com/idurar/idurar-erp-crm/commit/949bc6fe31f3175c9e1864d30cf6c8110179ac14 - Patch | |
References | () https://github.com/idurar/idurar-erp-crm/security/advisories/GHSA-948g-2vm7-mfv7 - Exploit, Vendor Advisory |
07 Oct 2024, 17:48
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Oct 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-04 15:15
Updated : 2024-11-13 15:12
NVD link : CVE-2024-47769
Mitre link : CVE-2024-47769
CVE.ORG link : CVE-2024-47769
JSON object : View
Products Affected
idurarapp
- idurar