CVE-2024-49367

Oct. 21, 2024, 5:15 p.m.

Tags

security-advisories@github.com
CWE-862
2024-10-21
CVE-2024-49367

Product(s) Impacted

Nginx UI

  • before 2.0.0-beta.36

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log path of nginxui is controllable. This issue can be combined with the directory traversal at `/api/configs` to read directories and file contents on the server. Version 2.0.0-beta.36 fixes the issue.

Weaknesses

CWE-862
Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE ID: 862

Date

Published: Oct. 21, 2024, 5:15 p.m.

Last Modified: Oct. 21, 2024, 5:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.0.0-beta.36
security-advisories@github.com
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-gr34-jgw4-7j4m
security-advisories@github.com