CVE-2024-37728
Published: 10 September 2024
Summary
CVE-2024-37728 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
OfficeWeb365 versions 7.18.23.0 and 8.6.1.0, a document management product from Xi'an Daxi Information Technology Co., Ltd, contain an arbitrary file read vulnerability. The flaw is reachable over the network through the Pic/Indexes interface and is tracked under CWE-22 path traversal, allowing unauthenticated retrieval of arbitrary files on the server.
An attacker with no credentials can send crafted requests to the affected endpoint and obtain sensitive information such as configuration files or source code. The CVSS 7.5 score reflects the combination of network accessibility, low attack complexity, and high confidentiality impact without requiring user interaction.
Public proof-of-concept code has been posted to GitHub repositories, confirming the issue is reproducible, yet no vendor advisory or patch information is referenced in the available sources. The EPSS score has remained steady at 0.1345 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36811
Vulnerability details
Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Tracking information locations and access supports secure storage practices instead of insecure ones.
Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information.
Requiring protection of backup information directly addresses insecure storage of sensitive data in backups.
Policy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections.
Proper categorization drives selection of storage controls that keep sensitive information from being stored insecurely.
The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class.
Validates pathnames and filenames to prevent traversal outside intended directories.
Storing information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set.