CVE-2024-27575

Name of the Vulnerable Software and Affected Versions INOTEC Sicherheitstechnik WebServer CPS220/64 version 3.3.19

Description The issue allows a remote attacker to read arbitrary files via absolute path traversal. For example, using the "/cgi-bin/display?file=/etc/passwd" URI, an attacker can access sensitive files. There is also a mention of potential code execution via the /etc/passwd file, although the primary impact described is file reading.

Recommendations For INOTEC Sicherheitstechnik WebServer CPS220/64 version 3.3.19, consider restricting access to the /cgi-bin/display API endpoint to minimize the risk of exploitation. Avoid using the file parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.