CVE-2024-40088

A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://vilo.com	Not Applicable
https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40088.md	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:viloliving:vilo_5_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:viloliving:vilo_5:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-21 21:15

Updated : 2025-07-07 17:37

NVD link : CVE-2024-40088

Mitre link : CVE-2024-40088

CVE.ORG link : CVE-2024-40088

JSON object : View

Products Affected

viloliving

vilo_5
vilo_5_firmware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2024-40088", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-10-21T21:15:06.080", "references": [{"url": "http://vilo.com", "tags": ["Not Applicable"], "source": "[email protected]"}, {"url": "https://github.com/byu-cybersecurity-research/vilo/blob/main/vulns/CVE-2024-40088.md", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request."}, {"lang": "es", "value": "Una vulnerabilidad de recorrido de directorio en el servidor web Boa del sistema WiFi Mesh Vilo 5 <= 5.16.1.33 permite a atacantes remotos no autenticados enumerar la existencia y la longitud de cualquier archivo en el sistema de archivos colocando cargas \u00fatiles maliciosas en la ruta de cualquier solicitud HTTP."}], "lastModified": "2025-07-07T17:37:43.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:viloliving:vilo_5_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE511F6D-2988-4CC4-871A-35BFD35B593C", "versionEndIncluding": "5.16.1.33"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:viloliving:vilo_5:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C570CD02-826A-4682-8BB3-251011DD5C85"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}