This product only verifies the username in JWT, rather than the password, allowing attackers to forge JWT to achieve passwordless arbitrary user login. Ultimately, this enables attackers to escalate privileges and use more functionalities, such as deletion, renaming, and other dangerous operations.
CuteHttpFileServer <=3.1(latest)
Attackers set up a local environment, capture the specified user's Cookie, and then place it into the real environment to exploit the vulnerability.
For more details, please refer to the following links:
PDF
:::info
https://github.com/GZLDL/CVE/blob/main/CVE-2024-26566/CVE-2024-26566%20JWT_Rename(English).pdf
:::
WORD :::info https://github.com/GZLDL/CVE/blob/main/CVE-2024-26566/CVE-2024-26566%20JWT_Rename(English).docx :::
md :::info https://github.com/GZLDL/CVE/blob/main/CVE-2024-26566/CVE-2024-26566%20JWT_Rename(English).md :::
It is recommended to update with the latest patch and add password validation for JWT.
Below is an example of exploiting the vulnerability by forging JWT and using high privileges to rename files and directory traversal to move files from any location to another.
Reference: :::info ods-im/CuteHttpFileServer#15 :::