CVE-2024-34470

An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
References
Link Resource
https://github.com/osvaldotenorio/CVE-2024-34470 Exploit Third Party Advisory
https://github.com/osvaldotenorio/CVE-2024-34470 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:hsclabs:mailinspector:*:*:*:*:*:*:*:*

History

17 Jun 2025, 16:23

Type Values Removed Values Added
References () https://github.com/osvaldotenorio/CVE-2024-34470 - () https://github.com/osvaldotenorio/CVE-2024-34470 - Exploit, Third Party Advisory
First Time Hsclabs
Hsclabs mailinspector
CPE cpe:2.3:a:hsclabs:mailinspector:*:*:*:*:*:*:*:*

21 Nov 2024, 09:18

Type Values Removed Values Added
References () https://github.com/osvaldotenorio/CVE-2024-34470 - () https://github.com/osvaldotenorio/CVE-2024-34470 -

03 Jul 2024, 02:00

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en HSC Mailinspector 5.2.17-3 hasta v.5.2.18. Existe una vulnerabilidad de path traversal no autenticada en el archivo /public/loader.php. El parámetro de ruta no filtra adecuadamente si el archivo y el directorio pasados son parte de la raíz web, lo que permite a un atacante leer archivos arbitrarios en el servidor.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.6
CWE CWE-29

06 May 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-06 15:15

Updated : 2025-06-17 16:23


NVD link : CVE-2024-34470

Mitre link : CVE-2024-34470

CVE.ORG link : CVE-2024-34470


JSON object : View

Products Affected

hsclabs

  • mailinspector
CWE
CWE-29

Path Traversal: '\..\filename'