{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-4297","assignerOrgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","state":"PUBLISHED","assignerShortName":"twcert","dateReserved":"2024-04-29T01:47:07.589Z","datePublished":"2024-04-29T02:28:24.526Z","dateUpdated":"2025-07-14T02:17:55.601Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["iSherlock-sysinfo-4.5"],"product":"iSherlock 4.5","vendor":"HGiga","versions":[{"lessThan":"147","status":"affected","version":"earlier","versionType":"custom"}]},{"defaultStatus":"unaffected","modules":["iSherlock-sysinfo-5.5"],"product":"iSherlock 5.5","vendor":"HGiga","versions":[{"lessThan":"147","status":"affected","version":"earlier","versionType":"custom"}]}],"datePublic":"2024-04-29T02:20:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files."}],"value":"The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files."}],"impacts":[{"capecId":"CAPEC-139","descriptions":[{"lang":"en","value":"CAPEC-139 Relative Path Traversal"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","shortName":"twcert","dateUpdated":"2025-07-14T02:17:55.601Z"},"references":[{"tags":["third-party-advisory"],"url":"https://www.twcert.org.tw/tw/cp-132-7767-ce3b4-1.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update iSherlock-sysinfo-4.5 to version 147 or later<br>\n\nUpdate iSherlock-sysinfo-5.5 to version 147 or later\n\n<br>"}],"value":"Update iSherlock-sysinfo-4.5 to version 147 or later\n\n\nUpdate iSherlock-sysinfo-5.5 to version 147 or later"}],"source":{"advisory":"TVN-202404008","discovery":"EXTERNAL"},"title":"HGiga iSherlock - Arbitrary File Download","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-4297","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-29T14:46:04.177828Z"}}}],"affected":[{"cpes":["cpe:2.3:a:hgiga:isherlock:4.5:*:*:*:*:*:*:*"],"vendor":"hgiga","product":"isherlock","versions":[{"status":"affected","version":"4.5","lessThan":"4.5-147","versionType":"custom"}],"defaultStatus":"unknown"}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:53:11.281Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T20:33:53.076Z"},"title":"CVE Program Container","references":[{"tags":["third-party-advisory","x_transferred"],"url":"https://www.twcert.org.tw/tw/cp-132-7767-ce3b4-1.html"}]}]}}