QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2024-6049

Back to search

CVE-2024-6049

Published: Oct 24, 2024

Modified: Oct 25, 2024

PUBLISHED

Description

The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.

VendorProductVersions

Lawo AG

vsm LTC Time Sync (vTimeSync)

unaffected
4.5.6.0

Weaknesses (CWE)

CWE-32

References

https://r.sec-consult.com/lawo
third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now