CVE-2024-11238
Published: 15 November 2024
Summary
CVE-2024-11238 is a medium-severity Path Traversal (CWE-22) vulnerability in Landray Landray Ekp. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-11238 is a path traversal vulnerability classified as critical and tracked under CWE-22. It affects the Landray EKP platform up to version 16.0, specifically the delPreviewFile function exposed at the endpoint /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The flaw arises from improper handling of the directoryPath argument, which can be manipulated to traverse directories on the server.
Remote attackers with no authentication or user interaction required can exploit the issue over the network. Successful exploitation allows modification or deletion of files outside the intended directory scope, resulting in limited integrity and availability impacts as reflected in the CVSS 6.9 vector.
No vendor patch or mitigation guidance is available, as Landray was notified prior to disclosure but did not respond. Public exploit details have been released, and the EPSS score has reached a peak of 0.1453 with a current value of 0.1200.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33695
Vulnerability details
A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to initiate the…
more
attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.