CVE-2024-49366 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
nginxui	nginx_ui	𝑥 ≤ 1.9.9-4
nginxui	nginx_ui	2.0.0:beta1
nginxui	nginx_ui	2.0.0:beta10
nginxui	nginx_ui	2.0.0:beta10_patch
nginxui	nginx_ui	2.0.0:beta11
nginxui	nginx_ui	2.0.0:beta12
nginxui	nginx_ui	2.0.0:beta13
nginxui	nginx_ui	2.0.0:beta13-patch
nginxui	nginx_ui	2.0.0:beta14
nginxui	nginx_ui	2.0.0:beta15
nginxui	nginx_ui	2.0.0:beta16
nginxui	nginx_ui	2.0.0:beta17
nginxui	nginx_ui	2.0.0:beta18
nginxui	nginx_ui	2.0.0:beta18-patch1
nginxui	nginx_ui	2.0.0:beta18-patch2
nginxui	nginx_ui	2.0.0:beta19
nginxui	nginx_ui	2.0.0:beta2
nginxui	nginx_ui	2.0.0:beta20
nginxui	nginx_ui	2.0.0:beta21
nginxui	nginx_ui	2.0.0:beta22
nginxui	nginx_ui	2.0.0:beta23
nginxui	nginx_ui	2.0.0:beta23-patch1
nginxui	nginx_ui	2.0.0:beta23-ptach2
nginxui	nginx_ui	2.0.0:beta24
nginxui	nginx_ui	2.0.0:beta25
nginxui	nginx_ui	2.0.0:beta25-patch1
nginxui	nginx_ui	2.0.0:beta25-ptach2
nginxui	nginx_ui	2.0.0:beta27
nginxui	nginx_ui	2.0.0:beta28
nginxui	nginx_ui	2.0.0:beta29
nginxui	nginx_ui	2.0.0:beta3
nginxui	nginx_ui	2.0.0:beta30
nginxui	nginx_ui	2.0.0:beta31
nginxui	nginx_ui	2.0.0:beta32
nginxui	nginx_ui	2.0.0:beta32-patch1
nginxui	nginx_ui	2.0.0:beta33
nginxui	nginx_ui	2.0.0:beta34
nginxui	nginx_ui	2.0.0:beta35
nginxui	nginx_ui	2.0.0:beta4
nginxui	nginx_ui	2.0.0:beta4_patch
nginxui	nginx_ui	2.0.0:beta5
nginxui	nginx_ui	2.0.0:beta5_patch
nginxui	nginx_ui	2.0.0:beta6
nginxui	nginx_ui	2.0.0:beta6_patch
nginxui	nginx_ui	2.0.0:beta6_patch2
nginxui	nginx_ui	2.0.0:beta7
nginxui	nginx_ui	2.0.0:beta8
nginxui	nginx_ui	2.0.0:beta8_patch
nginxui	nginx_ui	2.0.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-prv4-rx44-f7jr

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-prv4-rx44-f7jr