Cyber Resilience

CVE-2024-11238

MediumPublic PoC

Published: 15 November 2024

Published
15 November 2024
Modified
19 November 2024
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1200 93.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11238 is a medium-severity Path Traversal (CWE-22) vulnerability in Landray Landray Ekp. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-11238 is a path traversal vulnerability classified as critical and tracked under CWE-22. It affects the Landray EKP platform up to version 16.0, specifically the delPreviewFile function exposed at the endpoint /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The flaw arises from improper handling of the directoryPath argument, which can be manipulated to traverse directories on the server.

Remote attackers with no authentication or user interaction required can exploit the issue over the network. Successful exploitation allows modification or deletion of files outside the intended directory scope, resulting in limited integrity and availability impacts as reflected in the CVSS 6.9 vector.

No vendor patch or mitigation guidance is available, as Landray was notified prior to disclosure but did not respond. Public exploit details have been released, and the EPSS score has reached a peak of 0.1453 with a current value of 0.1200.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to initiate the…

more

attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

landray
landray ekp
≤ 16.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References