Plattform
wordpress
Komponente
salon-booking-system
Behoben in
9.9.1
CVE-2024-37231 describes an Arbitrary File Access vulnerability within the Salon Booking System. This flaw allows attackers to potentially read sensitive files on the server due to improper input validation. The vulnerability impacts versions of the Salon Booking System up to 9.9, and a patch is available in version 9.9.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. This could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. A successful exploit could compromise the entire system, allowing for data theft, modification, or even remote code execution if the accessed files contain executable code. The potential blast radius is significant, as an attacker could gain access to a wide range of files depending on the server's configuration and permissions.
CVE-2024-37231 was publicly disclosed on 2024-06-24. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it relatively straightforward to exploit.
Organizations using the Salon Booking System plugin, particularly those with older versions (≤9.9) and those who haven't implemented robust file access controls, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromise of one user's installation could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "../" /var/www/html/salon-booking-system/• generic web:
curl -I http://your-salon-booking-system/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37231 is to upgrade the Salon Booking System to version 9.9.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting file access permissions on the server to limit the potential damage from a successful exploit. Web Application Firewalls (WAFs) can be configured with rules to block requests containing path traversal sequences (e.g., '../'). After upgrading, confirm the vulnerability is resolved by attempting to access a file outside the intended directory and verifying that access is denied.
Actualice el plugin Salon Booking System a la última versión disponible. La vulnerabilidad de eliminación arbitraria de archivos se ha corregido en versiones posteriores a la 9.9. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37231 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a server running the Salon Booking System. It impacts versions up to 9.9.
You are affected if you are using Salon Booking System version 9.9 or earlier. Upgrade to 9.9.1 to mitigate the risk.
Upgrade to Salon Booking System version 9.9.1 or later. As a temporary workaround, restrict file access permissions or implement a WAF.
Currently, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Salon Booking System website or security advisory channels for the latest information and updates regarding CVE-2024-37231.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.