CVE-2024-50843 – This vulnerability allows remote attackers to v... (How to Fix)

Q: What is the severity of CVE-2024-50843?

CVE-2024-50843 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows remote attackers to view directory listings in PHPGurukul User Registration & Login and User Management System 3.2 via the /loginsystem/assets path. This exposes sensitive files and directory structures to unauthorized users. Organizations using this specific version of the PHPGurukul system are affected.

📋 TL;DR

This vulnerability allows remote attackers to view directory listings in PHPGurukul User Registration & Login and User Management System 3.2 via the /loginsystem/assets path. This exposes sensitive files and directory structures to unauthorized users. Organizations using this specific version of the PHPGurukul system are affected.

💻 Affected Systems

Products:

PHPGurukul User Registration & Login and User Management System

Versions: 3.2

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the vulnerable version installed and accessible via web.

📦 What is this software?

User Registration \& Login And User Management System by Phpgurukul

View all CVEs affecting User Registration \& Login And User Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could discover and download sensitive configuration files, database backups, or credential files leading to full system compromise.

🟠

Likely Case

Attackers enumerate directory contents to find additional attack vectors, sensitive information, or misconfigured files.

🟢

If Mitigated

Directory listing is disabled, limiting information disclosure to known file paths only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web browser access to the vulnerable path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Apply workarounds or upgrade to a newer version if available.

🔧 Temporary Workarounds

Disable Directory Listing

all

Configure web server to prevent directory listing for the vulnerable path.

For Apache: Add 'Options -Indexes' to .htaccess in /loginsystem/assets directory
For Nginx: Add 'autoindex off;' to server block configuration

Restrict Access

all

Block access to /loginsystem/assets directory via web server configuration.

For Apache: 'Deny from all' in .htaccess
For Nginx: 'location /loginsystem/assets { deny all; }'

🧯 If You Can't Patch

Implement web application firewall rules to block directory listing requests
Monitor access logs for requests to /loginsystem/assets path

🔍 How to Verify

Check if Vulnerable:

Navigate to http://[target]/loginsystem/assets/ in a web browser. If directory contents are displayed, system is vulnerable.

Check Version:

Check application version in admin panel or readme files.

Verify Fix Applied:

Attempt to access the same URL after applying fixes. Should return 403 Forbidden or similar error instead of directory listing.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to GET requests for /loginsystem/assets/
Multiple sequential requests to /loginsystem/assets/* paths

Network Indicators:

Unusual traffic patterns to /loginsystem/assets directory

SIEM Query:

source="web_logs" AND uri_path="/loginsystem/assets/" AND status=200

📊 Metadata

CVE ID: CVE-2024-50843

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

Published: November 14, 2024

Last Updated: March 27, 2025

🔗 References

https://github.com/m14r41/Writeups/blob/main/CVE/phpGurukul/User%20Registration%20&%20Login%20and%20User%20Management%20System%20With%20admin%20panel/Directory%20listings.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50843, you might also want to check these: