← Back

CVE-2024-26261

nvd nist
Published: Feb 15, 2024Modified: Jan 23, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: twcert@cert.org.tw (Secondary)

Description

The functionality for file download in HGiga OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded.

Affected (4)

Hgiga
4 products
Oaklouds Organization 2.0
Oaklouds Organization 3.0
Oaklouds Webbase 2.0
Oaklouds Webbase 3.0
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Oaklouds Organization 2.0
Before 188
Oaklouds Organization 3.0
Before 188
Oaklouds Webbase 2.0
Before 1051
Oaklouds Webbase 3.0
Before 1051

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

Source: twcert@cert.org.tw
Third Party Advisory
Source: twcert@cert.org.tw
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.