Simplehelp
CVE-2024-57727
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
AnalysisAI
SimpleHelp remote support software contains multiple path traversal vulnerabilities allowing unauthenticated remote attackers to download arbitrary files including server configuration and hashed passwords.
Technical ContextAI
The CWE-22 path traversal via /c/router endpoint with getImageByPath allows reading arbitrary files. Critical files include server configuration containing LDAP credentials, API keys, and password hashes for SimpleHelp accounts.
RemediationAI
Update SimpleHelp to 5.5.8+. Rotate all stored credentials. Audit remote support session logs for unauthorized access.
More in Simplehelp
View allSame weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today