CVE-2024-51376

CVE-2024-51376 is a Directory Traversal vulnerability (CWE-22) in yeqifu carRental version 1.0. The flaw exists in the file/downloadFile.action?path= component, enabling a remote attacker to obtain sensitive information. It was published on 2025-02-12 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no impact on integrity or availability.

A remote attacker requires only network access to exploit this vulnerability, with low attack complexity, no privileges, and no user interaction needed. Exploitation allows the attacker to traverse directories and access sensitive files on the affected system, potentially exposing configuration data, user information, or other confidential resources.

Advisories and further details on the vulnerability, including potential mitigation steps, are available in the referenced GitHub repositories: https://github.com/echo0d/vulnerability/blob/main/yeqifu_carRental/DirectoryTraversal.md and https://github.com/yeqifu/carRental/issues/43.