CVE-2024-47769

Name of the Vulnerable Software and Affected Versions IDURAR (affected versions not specified)

Description The issue exists in the corePublicRouter.js file of IDURAR, an open-source ERP CRM accounting invoicing software. A public endpoint is accessible to unauthenticated users, and user input is directly appended to the join statement without checks, allowing attackers to send URL-encoded malicious payloads. This enables directory structure escape to read system files by adding an encoded string at a subpath location.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.