CVE-2024-1303: 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | CWE-22.
Software link: https://www.s-can.at/en/product/monitool/
Version: 4.6.3
@author: Guillermo García Molina
Description: In s:can moni:tools up to and including version 4.6.3, an authenticated attacker could get any file from the device by path traversal in the download-file functionality.
The Download files functionality, found in (Service>Output>Export Data>Files), is used to download different documents from the application. When these documents are selected and the button “Download files” is pressed, a compressed file with the requested documents is downloaded:
The parameter names, which is found in the request performed to the server, is affected by a path traversal vulnerability. As it is shown in the following pictures, injecting the payload ../../../../../etc/passwd in the vulnerable parameter of the request performed to the export-autofiles-download.x endpoint, downloads a compressed file with /etc/passwd.
