Scan free
HIGHCVE-2024-47769CVSS 7.5

CVE-2024-47769: Path Traversal in IDURAR ERP CRM

Platform

nodejs

Component

idurar-erp-crm

Fixed in

4.1.1

AI Confidence: highNVDEPSS 1.0%Reviewed: May 2026
View on NVD
Save

CVE-2024-47769 describes a Path Traversal vulnerability discovered in IDURAR ERP CRM, an open-source ERP and CRM accounting software. This flaw allows unauthenticated attackers to potentially read sensitive system files by manipulating URL parameters. The vulnerability impacts versions 4.1.0 and earlier, and a patch is available in version 4.1.1.

Impact and Attack Scenarios

The core of the vulnerability lies within the corePublicRouter.js file, where user input is directly appended to a join statement without proper validation. This lack of sanitization enables an attacker to craft malicious, URL-encoded payloads that bypass intended directory restrictions. By strategically encoding path traversal sequences (e.g., ../..), an attacker can navigate the file system and access files outside of the intended scope. The potential impact includes exposure of configuration files, source code, and potentially sensitive data stored on the server. Successful exploitation could lead to complete compromise of the system, depending on the permissions of the web server user.

Exploitation Context

CVE-2024-47769 was publicly disclosed on 2024-10-04. No known public proof-of-concept exploits are currently available, but the vulnerability's nature makes it likely that such exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential for significant impact, warrants careful attention and prompt remediation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.00% (77% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentidurar-erp-crm
Vendoridurar
Affected rangeFixed in
<= 4.1.0 – <= 4.1.04.1.1

Weakness Classification (CWE)

CWE-22CWE-23

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-47769 is to immediately upgrade IDURAR ERP CRM to version 4.1.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns (e.g., ../, encoded equivalents). Additionally, restrict file system permissions for the web server user to the absolute minimum required for operation. Monitor access logs for unusual file access attempts that might indicate exploitation. After upgrade, confirm by attempting to access a sensitive file via a crafted path traversal URL; the request should be denied.

How to fix

Actualice IDURAR ERP CRM a la versión que corrige la vulnerabilidad de path traversal. Consulte el anuncio de seguridad en GitHub para obtener más detalles sobre la versión corregida y las instrucciones de actualización. Como medida temporal, revise y valide las entradas de los usuarios en corePublicRouter.js para evitar la manipulación de rutas.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-47769 — Path Traversal in IDURAR ERP CRM?

CVE-2024-47769 is a Path Traversal vulnerability in IDURAR ERP CRM versions 4.1.0 and below, allowing unauthenticated attackers to potentially read system files.

Am I affected by CVE-2024-47769 in IDURAR ERP CRM?

You are affected if you are running IDURAR ERP CRM version 4.1.0 or earlier. Upgrade to 4.1.1 to mitigate the risk.

How do I fix CVE-2024-47769 in IDURAR ERP CRM?

Upgrade IDURAR ERP CRM to version 4.1.1 or later. Implement WAF rules to block suspicious path traversal attempts as a temporary workaround.

Is CVE-2024-47769 being actively exploited?

While no public exploits are currently known, the vulnerability's nature suggests it is likely to be targeted. Proactive mitigation is recommended.

Where can I find the official IDURAR advisory for CVE-2024-47769?

Refer to the IDURAR project's official website and GitHub repository for updates and security advisories related to CVE-2024-47769.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs