CVE-2024-8165 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-8165?

CVE-2024-8165 has a CVSS score of 4.3 (MEDIUM). This CVE describes a path traversal vulnerability in BeikeShop's exportZip function that allows attackers to access files outside the intended directory. Attackers can exploit this remotely to read sensitive files on affected systems. All BeikeShop installations up to version 1.5.5 are vulnerable.

📋 TL;DR

This CVE describes a path traversal vulnerability in BeikeShop's exportZip function that allows attackers to access files outside the intended directory. Attackers can exploit this remotely to read sensitive files on affected systems. All BeikeShop installations up to version 1.5.5 are vulnerable.

💻 Affected Systems

Products:

Chengdu Everbrite Network Technology BeikeShop

Versions: up to 1.5.5

Operating Systems: All platforms running BeikeShop

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using the vulnerable exportZip function are affected.

📦 What is this software?

Beikeshop by Beikeshop

View all CVEs affecting Beikeshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, database credentials, or other critical system files, potentially leading to complete system compromise.

🟠

Likely Case

Attackers will read configuration files containing database credentials or other sensitive information, enabling further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to file disclosure within the web application context.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and a public exploit exists.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but external threat is higher.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access to the file_manager endpoint, but the vulnerability is simple to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.0

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Backup your current installation and database. 2. Download BeikeShop version 1.6.0 from official sources. 3. Replace the affected files or perform a complete upgrade. 4. Restart the web server. 5. Verify the fix by testing the exportZip function.

🔧 Temporary Workarounds

Disable file_manager export endpoint

all

Temporarily disable or restrict access to the vulnerable /admin/file_manager/export endpoint

# Configure web server to block access to /admin/file_manager/export
# Example for Apache: Redirect 403 /admin/file_manager/export
# Example for Nginx: location ~ ^/admin/file_manager/export { deny all; }

Implement input validation

all

Add path traversal validation to the exportZip function

# In export.php, add path sanitization before processing
# Example: $path = realpath($input_path); if(strpos($path, BASE_DIR) !== 0) { die('Invalid path'); }

🧯 If You Can't Patch

Implement strict access controls to limit who can access the admin interface
Deploy a WAF with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check if BeikeShop version is 1.5.5 or earlier by examining version files or admin panel

Check Version:

Check /version.txt or admin panel version display, or examine BeikeShop configuration files

Verify Fix Applied:

After upgrading to 1.6.0, test the exportZip function with path traversal attempts to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /admin/file_manager/export with ../ patterns
Failed authentication attempts followed by successful admin login and export requests

Network Indicators:

Unusual file download patterns from the export endpoint
Requests containing path traversal sequences (../, ..\)

SIEM Query:

source="web_logs" AND (uri="/admin/file_manager/export" AND (query="%2E%2E%2F" OR query="..%2F" OR query="..\\"))

📊 Metadata

CVE ID: CVE-2024-8165

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

Published: August 26, 2024

Last Updated: November 24, 2025

🔗 References

https://github.com/DeepMountains/Mirage/blob/main/CVE18-1.md Broken Link
https://vuldb.com/?ctiid.275763 Permissions Required
https://vuldb.com/?id.275763 Third Party Advisory
https://vuldb.com/?submit.393376 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8165, you might also want to check these: