Plattform
wordpress
Komponente
sp-client-document-manager
Behoben in
4.71.1
CVE-2024-37224 describes a Directory Traversal vulnerability discovered in SP Project & Document Manager. This flaw allows attackers to potentially read sensitive files from the server by manipulating file paths. Versions of SP Project & Document Manager prior to 4.71 are affected. A patch is available in version 4.71.1.
The Directory Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from directories they should not be able to access. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance and the underlying server. An attacker could potentially gain access to user data, modify website content, or install malicious software. The impact is amplified if the server hosts multiple websites or applications, potentially leading to a wider blast radius.
CVE-2024-37224 was publicly disclosed on July 9, 2024. Currently, there are no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The EPSS score is likely to be low to medium, given the lack of public exploits and the relatively straightforward nature of path traversal vulnerabilities.
Organizations using SP Project & Document Manager, particularly those running older versions (≤4.71) on shared hosting environments, are at increased risk. Sites with misconfigured file permissions or inadequate WAF protection are also more vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/sp-project-document-manager/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/uploads/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.49% (81% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade SP Project & Document Manager to version 4.71.1 or later, which contains the fix. If upgrading immediately is not possible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path traversal sequences (e.g., ../). Restrict file access permissions on the server to minimize the potential damage if the vulnerability is exploited. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin SP Project & Document Manager a la última versión disponible. La vulnerabilidad de path traversal permite el acceso a archivos no autorizados, por lo que es crucial actualizar para mitigar el riesgo. Consulte la página del plugin en WordPress.org para obtener la versión más reciente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37224 is a vulnerability allowing attackers to read arbitrary files on a server running SP Project & Document Manager. It's rated HIGH severity due to the potential for sensitive data exposure.
You are affected if you are using SP Project & Document Manager versions 4.71 and earlier. Upgrade to 4.71.1 to resolve the issue.
Upgrade to version 4.71.1 or later. As a temporary workaround, implement WAF rules to block path traversal attempts and monitor access logs.
As of July 2024, no active exploitation has been publicly confirmed, but it's crucial to apply the patch promptly.
Refer to the official SP Project & Document Manager website or their security advisory page for the latest information and updates regarding CVE-2024-37224.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.