cbcvebase.
CVE-2024-11238
published 2024-11-15

CVE-2024-11238: A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file…

PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.60%
91.9th percentile
A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
landrayekp
landraylandray_ekp<= 16.0

Detection & IOCsextracted from sources · hover to see the quote

path/sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile
url/sys/ui/sys_ui_component/sysUiComponent.do?method=delPreviewFile&directoryPath=../{{faviconPath}}/
  • Detect exploitation attempts by monitoring HTTP GET requests to the vulnerable endpoint with a `directoryPath` parameter containing path traversal sequences (e.g., `../`).
  • Identify Landray EKP instances via Shodan using favicon hash 831854882 to scope exposure.
  • A successful exploitation sequence results in a 200 response with content_length == 0 on the delPreviewFile endpoint, followed by a 404 on the previously accessible favicon resource — indicating the file/directory was deleted via path traversal.
  • The attack requires no authentication (PR:N, UI:N) and is remotely exploitable; monitor for unauthenticated requests to `sysUiComponent.do?method=delPreviewFile`.
  • ·The Nuclei template uses a multi-step flow: it first fetches /login.jsp to extract a dynamic `faviconPath` value, then verifies the favicon exists (HTTP 200), then triggers the path traversal deletion, and finally confirms deletion via HTTP 404. Detection logic must account for this chained, stateful attack pattern rather than a single request.
  • ·The vulnerability affects Landray EKP up to version 16.0; versions beyond this range may not be affected.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.