CVE-2024-34471 - Vulnerability Details - OpenCVE

An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hsclabs	Mailinspector

Configuration 1 [-]

cpe:2.3:a:hsclabs:mailinspector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/osvaldotenorio/CVE-2024-34471

History

Tue, 17 Jun 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hsclabs Hsclabs mailinspector
CPEs		cpe:2.3:a:hsclabs:mailinspector::::::::
Vendors & Products		Hsclabs Hsclabs mailinspector

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-05-06T00:00:00

Updated: 2024-08-02T02:51:11.429Z

Reserved: 2024-05-04T00:00:00

Link: CVE-2024-34471

Vulnrichment

Updated: 2024-08-02T02:51:11.429Z

NVD

Status : Analyzed

Published: 2024-05-06T16:15:14.137

Modified: 2025-06-17T17:13:49.083

Link: CVE-2024-34471

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-34471", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T02:51:11.429Z", "dateReserved": "2024-05-04T00:00:00", "datePublished": "2024-05-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-06T15:29:13.931585"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/osvaldotenorio/CVE-2024-34471"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34471", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T15:04:45.867099Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hsc:mailinspector:5.2.17-3:*:*:*:*:*:*:*"], "vendor": "hsc", "product": "mailinspector", "versions": [{"status": "affected", "version": "5.2.17-3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:09.163Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:11.429Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/osvaldotenorio/CVE-2024-34471", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/osvaldotenorio/CVE-2024-34471", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:11.429Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34471", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T15:04:45.867099Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hsc:mailinspector:5.2.17-3:*:*:*:*:*:*:*"], "vendor": "hsc", "product": "mailinspector", "versions": [{"status": "affected", "version": "5.2.17-3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T15:07:03.220Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/osvaldotenorio/CVE-2024-34471"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-06T15:29:13.931585"}}}, "cveMetadata": {"cveId": "CVE-2024-34471", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:11.429Z", "dateReserved": "2024-05-04T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-06T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hsclabs:mailinspector:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA0B7E15-A3DF-485A-AA44-F8501894C017", "versionEndIncluding": "5.2.18", "versionStartIncluding": "5.2.17-3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en HSC Mailinspector 5.2.17-3. Existe una vulnerabilidad de Path Traversal (que provoca la eliminaci\u00f3n de archivos) en el archivo mliRealtimeEmails.php. El par\u00e1metro de nombre de archivo en la funcionalidad de exportaci\u00f3n HTML no valida correctamente la ubicaci\u00f3n del archivo, lo que permite a un atacante leer y eliminar archivos arbitrarios en el servidor. Esto se observ\u00f3 cuando el archivo mliRealtimeEmails.php fue le\u00eddo y posteriormente eliminado, lo que result\u00f3 en un error 404 para el archivo y la interrupci\u00f3n de la carga de la informaci\u00f3n del correo electr\u00f3nico."}], "id": "CVE-2024-34471", "lastModified": "2025-06-17T17:13:49.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-06T16:15:14.137", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://github.com/osvaldotenorio/CVE-2024-34471"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/osvaldotenorio/CVE-2024-34471"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}