CVE-2024-34470
CVE-2024-34470 is a high-severity vulnerability in Hsclabs Mailinspector with a CVSS 3.x base score of 8.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-29.
Key facts
- Severity: High (CVSS 3.x base score 8.6)
- EPSS exploit prediction: 7% (93rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-34819
- Weakness: CWE-29
- Affected product: Hsclabs Mailinspector
- Published:
- Last modified:
Description
An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
Frequently asked questions
- What is CVE-2024-34470?
- An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
- How severe is CVE-2024-34470?
- CVE-2024-34470 has a CVSS 3.x base score of 8.6, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2024-34470 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 7% (93rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-34470?
- CVE-2024-34470 affects Hsclabs Mailinspector. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-34470?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-34470 have an EU (EUVD) identifier?
- Yes. CVE-2024-34470 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-34819.
- When was CVE-2024-34470 published?
- CVE-2024-34470 was published on 2024-05-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:hsclabs:mailinspector:*:*:*:*:*:*:*:*
More vulnerabilities in Hsclabs Mailinspector
- CVE-2024-32370 — Critical (CVSS 9.8): An issue in HSC Cybersecurity HC Mailinspector 5.2.17-3 through 5.2.18 allows a remote attacker to obtain sensitive…
- CVE-2026-29963 — High (CVSS 7.5): HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the…
- CVE-2026-29962 — High (CVSS 7.5): HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of…
- CVE-2024-32371 — High (CVSS 7.5): An issue in HSC Cybersecurity HC Mailinspector 5.2.17-3 through 5.2.18 allows a regular user account to escalate their…
- CVE-2026-29965 — Medium (CVSS 6.1): HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to…
- CVE-2026-29964 — Medium (CVSS 6.1): HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to…
All CVEs affecting Hsclabs Mailinspector →
Other CWE-29 vulnerabilities
- CVE-2025-15036 — Critical (CVSS 10.0): A path traversal vulnerability exists in the `extract_archive_to_dir` function within the…
- CVE-2024-2083 — Critical (CVSS 9.9): A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps…
- CVE-2024-6396 — Critical (CVSS 9.8): A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any…
- CVE-2024-5443 — Critical (CVSS 9.8): CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the…
- CVE-2024-2358 — Critical (CVSS 9.8): A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute…
- CVE-2023-6975 — Critical (CVSS 9.8): A malicious user could use this issue to get command execution on the vulnerable machine and get access to data &…