Platform
wordpress
Component
sp-client-document-manager
Opgelost in
4.71.1
CVE-2024-37224 describes a Directory Traversal vulnerability discovered in SP Project & Document Manager. This flaw allows attackers to potentially read sensitive files from the server by manipulating file paths. Versions of SP Project & Document Manager prior to 4.71 are affected. A patch is available in version 4.71.1.
The Directory Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. An attacker could leverage this to gain a deeper understanding of the application's architecture and identify further vulnerabilities. While the immediate impact is information disclosure, it could be a stepping stone for more severe attacks, such as code execution if sensitive files contain credentials or scripts.
CVE-2024-37224 was publicly disclosed on July 9, 2024. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations using SP Project & Document Manager, particularly those running older versions (≤4.71) on shared hosting environments, are at increased risk. Sites with misconfigured file permissions or inadequate WAF protection are also more vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/sp-project-document-manager/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/uploads/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit Status
EPSS
1.49% (81% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade SP Project & Document Manager to version 4.71.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to restrict access to sensitive files and directories. Specifically, block requests containing path traversal sequences like ../. Regularly review access logs for suspicious requests attempting to access files outside of the intended directory structure. Implement strict file permissions on the server to limit the impact of a successful attack.
Actualice el plugin SP Project & Document Manager a la última versión disponible. La vulnerabilidad de path traversal permite el acceso a archivos no autorizados, por lo que es crucial actualizar para mitigar el riesgo. Consulte la página del plugin en WordPress.org para obtener la versión más reciente.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-37224 is a vulnerability allowing attackers to read arbitrary files on a server running SP Project & Document Manager. It's rated HIGH severity due to the potential for sensitive data exposure.
You are affected if you are using SP Project & Document Manager versions 4.71 and earlier. Upgrade to 4.71.1 to resolve the issue.
Upgrade to version 4.71.1 or later. As a temporary workaround, implement WAF rules to block path traversal attempts and monitor access logs.
As of July 2024, no active exploitation has been publicly confirmed, but it's crucial to apply the patch promptly.
Refer to the official SP Project & Document Manager website or their security advisory page for the latest information and updates regarding CVE-2024-37224.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.