CVE-2024-6049 Information

Description

The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a ...\ (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation the exploitation is only possible if the requested file has some file extension e. g. .exe or .txt.

Reference

https://r.sec-consult.com/lawo https://lawo.com/lawo-downloads/