CVE-2024-34470

high-risk
Published 2024-05-06

An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.

Do I need to act?

!
93.6% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.6/10 High
NETWORK / LOW complexity

Affected Products (1)

Mailinspector

Affected Vendors

Hsclabs

References (2)

Exploit https://github.com/osvaldotenorio/CVE-2024-34470
Exploit https://github.com/osvaldotenorio/CVE-2024-34470
54
/ 100
high-risk
Severity 29/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal