CVE-2024-6424

Name of the Vulnerable Software and Affected Versions MESbook version 20221021.03

Description The issue allows a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST" to read the source code of web files, read internal files, or access network resources.

Recommendations For MESbook version 20221021.03, consider disabling access to the /api/Proxy/Post and /api/Proxy/Get endpoints until a patch is available. Restrict the use of the userName, password, and uri parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.