CVE-2024-48766

Name of the Vulnerable Software and Affected Versions: NetAlertX versions 24.7.18 through 24.10.12

Description: The issue allows unauthenticated file reading due to factors related to strpos and directory traversal, where an HTTP client can ignore a redirect. This is related to components/logs.php. The vulnerability is also associated with incorrect restriction of the path name to a directory with limited access, resulting from a lack of authentication. Exploitation of the vulnerability may allow an attacker to read arbitrary files.

Recommendations: For versions 24.7.18 through 24.10.12, update to version 24.10.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the components/logs.php file until a patch is available. Avoid using the strpos function in conjunction with directory traversal to minimize the risk of exploitation. Restrict access to sensitive directories to prevent unauthorized file reading.