CVE-2024-47769 HIGH

CVE-2024-47769: IDURAR has a Path Traversal (unauthenticated user can read sensitive data)

Vendor Idurar
Product idurar-erp-crm
Weakness CWE-22 · Path traversal
Published October 4, 2024
Last update October 4, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

IDURAR is open source ERP CRM accounting invoicing software. The vulnerability exists in the corePublicRouter.js file. Using the reference usage here, it is identified that the public endpoint is accessible to an unauthenticated user. The user's input is directly appended to the join statement without additional checks. This allows an attacker to send URL encoded malicious payload. The directory structure can be escaped to read system files by adding an encoded string (payload) at subpath location.

Key dates

02Disclosure timeline

October 4, 2024 CVE published
October 4, 2024 Record updated