CVE-2024-54452

Name of the Vulnerable Software and Affected Versions: Kurmi Provisioning Suite versions prior to 7.9.0.35 Kurmi Provisioning Suite versions 7.10.x through 7.10.0.18

Description: A Directory Traversal and Local File Inclusion issue in the logsSys.do page allows remote attackers, authenticated as administrators, to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, such as configuration files with information like the database password.

Recommendations: For versions prior to 7.9.0.35, update to version 7.9.0.35 or later. For versions 7.10.x through 7.10.0.18, update to a version later than 7.10.0.18. As a temporary workaround, consider restricting access to the logsSys.do page until a patch is available.