.. / CVE-2024-6746

Exploit for EasySpider 0.6.2 - Arbitrary File Read (CVE-2024-6746)

Description:

A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to path traversal: ‘../filedir’. The attack needs to be done within the local network.

Nuclei Template

View the template here CVE-2024-6746.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2024/CVE-2024-6746.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-6746
https://vuldb.com/?id.271477
https://vuldb.com/?submit.371998
https://github.com/NaiboWang/EasySpider
https://cvefeed.io/vuln/detail/CVE-2024-6746
https://vuldb.com/?ctiid.271477
https://github.com/NaiboWang/EasySpider/issues/466