Platform
nodejs
Component
idurar-erp-crm
Fixed in
4.1.1
CVE-2024-47769 describes a Path Traversal vulnerability discovered in IDURAR ERP CRM, an open-source ERP and CRM accounting software. This flaw allows unauthenticated attackers to potentially read sensitive system files by manipulating URL parameters. The vulnerability impacts versions 4.1.0 and earlier, and a patch is available in version 4.1.1.
The core of the vulnerability lies within the corePublicRouter.js file, where user input is directly appended to a join statement without proper validation. This lack of sanitization enables an attacker to craft malicious, URL-encoded payloads that bypass intended directory restrictions. By strategically encoding path traversal sequences (e.g., ../..), an attacker can navigate the file system and access files outside of the intended scope. The potential impact includes exposure of configuration files, source code, and potentially sensitive data stored on the server. Successful exploitation could lead to complete compromise of the system, depending on the permissions of the web server user.
CVE-2024-47769 was publicly disclosed on 2024-10-04. No known public proof-of-concept exploits are currently available, but the vulnerability's nature makes it likely that such exploits will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential for significant impact, warrants careful attention and prompt remediation.
Exploit Status
EPSS
1.00% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47769 is to immediately upgrade IDURAR ERP CRM to version 4.1.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns (e.g., ../, encoded equivalents). Additionally, restrict file system permissions for the web server user to the absolute minimum required for operation. Monitor access logs for unusual file access attempts that might indicate exploitation. After upgrade, confirm by attempting to access a sensitive file via a crafted path traversal URL; the request should be denied.
Actualice IDURAR ERP CRM a la versión que corrige la vulnerabilidad de path traversal. Consulte el anuncio de seguridad en GitHub para obtener más detalles sobre la versión corregida y las instrucciones de actualización. Como medida temporal, revise y valide las entradas de los usuarios en corePublicRouter.js para evitar la manipulación de rutas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47769 is a Path Traversal vulnerability in IDURAR ERP CRM versions 4.1.0 and below, allowing unauthenticated attackers to potentially read system files.
You are affected if you are running IDURAR ERP CRM version 4.1.0 or earlier. Upgrade to 4.1.1 to mitigate the risk.
Upgrade IDURAR ERP CRM to version 4.1.1 or later. Implement WAF rules to block suspicious path traversal attempts as a temporary workaround.
While no public exploits are currently known, the vulnerability's nature suggests it is likely to be targeted. Proactive mitigation is recommended.
Refer to the IDURAR project's official website and GitHub repository for updates and security advisories related to CVE-2024-47769.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.