POC详情: ff441fe55701d7127ac3112ed0ac0061d21bf48b

来源
https://github.com/TaiYou-TW/CVE-2024-40445_CVE-2024-40446
关联漏洞
标题: MimeTeX 安全漏洞 (CVE-2024-40445)
描述:MimeTeX是John Forkosh个人开发者的一款图像转换器。 MimeTeX v.1.77之前版本存在安全漏洞,该漏洞源于特制文件上传导致目录遍历,可能导致执行任意代码。
描述
This repository serves as the public reference for CVE-2024-40445 and CVE-2024-40446. Both vulnerabilities impact MimeTeX, an open-source software package for rendering LaTeX expressions, which appears to be no longer maintained.
介绍
# MimeTeX Vulnerability Reference (CVE-2024-40445 & CVE-2024-40446)

This repository serves as the public reference for the security issues CVE-2024-40445 and CVE-2024-40446 affecting [MimeTeX](https://ctan.org/pkg/mimetex), a lightweight open-source LaTeX renderer written in C.

> ⚠️ MimeTeX appears to be no longer actively maintained. Users and developers are strongly encouraged to assess the risks before using it in production environments.

## Vulnerabilities

### CVE-2024-40445 — Directory Traversal
A directory traversal vulnerability exists in MimeTeX prior to version 1.77. When operating in command-line or CGI mode, crafted user input can be used to perform unauthorized file access operations on Windows System.

### CVE-2024-40446 — Code Injection
MimeTeX versions from 1.76 up to 1.77 contain a code injection vulnerability. A malicious input string, when parsed by the engine, can trigger unintended command execution.

## Possibly Affected Users

If you are a user of Moodle, which appears to be one of the main platforms still using MimeTeX, please refer to their [advisory](https://moodle.org/mod/forum/discuss.php?d=467592) for mitigation guidance.

## Mitigation

If you are using MimeTeX:

- **Stop using it**, as it appears to be unmaintained and vulnerable.
- **Restrict user input** if usage cannot be immediately discontinued.
- **Isolate the service** using sandboxing or containerization to limit the impact of potential exploits.

## Disclaimer

This repository is for informational purposes only. Technical details have been redacted to minimize potential risks to users and systems still using affected versions.

---

**CVE IDs:** [CVE-2024-40445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40445), [CVE-2024-40446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40446)  
**Vendor:** forkosh  
**Status:** Affected versions are no longer actively maintained.
文件快照

 [4.0K]  /data/pocs/ff441fe55701d7127ac3112ed0ac0061d21bf48b
└── [1.9K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。