CRITICAL🇵🇱 Wersja polska

CVE-2024-31818

CVSS 9.8v3.1pub. 2024-04-12upd. 2025-06-17

Directory Traversal vulnerability in DerbyNet v.9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component.

🤖 AI Analysis
How it works

The vulnerability exists in the kiosk.php component of the DerbyNet application. The 'page' parameter passed to this script is not properly validated or filtered, allowing an attacker to provide a crafted path containing path traversal sequences (e.g., '../'). By manipulating this parameter, a remote attacker can exit the allowed application directory and execute arbitrary code on the server without requiring any privileges.

Impact

An attacker can gain full control over the server, including reading, modifying or deleting any files, as well as executing malicious code leading to system compromise. The confidentiality, integrity and availability of the entire server environment are at risk.

Mitigation & patch

Apply patches available from the vendor according to the references. As a temporary workaround, it is recommended to restrict access to the kiosk.php component at the firewall or web server level and monitor the 'page' parameter for suspicious values.

Who is affected

DerbyNet version 9.0 — website/kiosk.php component

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Derbynet

    APP
    Derbynet
    9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-30922CRITICAL9.8PL ✓ten sam produkt

SQL Injection w DerbyNet v9.0 — zdalne wykonanie kodu przez klauzulę WHERE

CVE-2024-30923CRITICAL9.8PL ✓ten sam produkt

SQL Injection z możliwością RCE w DerbyNet v9.0 i wcześniejszych

CVE-2024-30920HIGH7.4ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary co...

CVE-2024-30928HIGH8.1ten sam produkt

SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via ...

CVE-2024-30929HIGH8.0ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via t...