CVE-2024-6746

Name of the Vulnerable Software and Affected Versions NaiboWang EasySpider version 0.6.2

Description A problematic vulnerability was found in the HTTP GET Request Handler component of NaiboWang EasySpider, specifically in the file server.js. The issue allows for path traversal when an attacker manipulates the input with a sequence like /../../../../../../../../../Windows/win.ini, leading to access to files like '../filedir'. This attack can only be performed within a local network. The exploit for this issue has been publicly disclosed. The software's default operation is local and does not expose it to the internet, which the code maintainer notes mitigates the severity of the issue.

Recommendations For NaiboWang EasySpider version 0.6.2, consider restricting access to the vulnerable HTTP GET Request Handler component until a patch is available. As a temporary workaround, avoid using inputs that could lead to path traversal in the server.js file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.