CVE-2024-50843 identifies a directory listing vulnerability in PHPGurukul User Registration & Login and User Management System version 3.2. The issue allows remote attackers to enumerate files and directories under the /loginsystem/assets directory without requiring authentication or user interaction. This vulnerability stems from improper configuration or lack of access controls on the web server or application, which permits directory contents to be listed when accessed via HTTP. Directory listing can expose sensitive files such as configuration files, logs, or other resources that may contain credentials, internal paths, or other information useful for further exploitation. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating a failure to restrict access to directories properly. The CVSS v3.1 base score is 5.3, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability primarily affects organizations running PHPGurukul User Registration & Login and User Management System 3.2, especially those exposing the /loginsystem/assets directory to the internet.

The primary impact of CVE-2024-50843 is the unauthorized disclosure of sensitive information due to directory listing exposure. Attackers can gain access to file names and contents within the /loginsystem/assets directory, potentially revealing configuration files, source code, or other sensitive data. This information disclosure can facilitate further attacks such as credential theft, privilege escalation, or exploitation of other vulnerabilities. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can lead to significant security risks. Organizations relying on PHPGurukul User Registration & Login and User Management System 3.2 may face increased risk of targeted attacks if sensitive files are exposed. The ease of exploitation (no authentication or user interaction required) increases the threat level, especially for publicly accessible web servers. However, the lack of known exploits in the wild and the medium CVSS score suggest a moderate but notable risk. The vulnerability could be leveraged as part of a multi-stage attack chain against web applications and their underlying infrastructure.

To mitigate CVE-2024-50843, organizations should immediately disable directory listing on the affected web server, particularly for the /loginsystem/assets directory. This can be done by configuring the web server (e.g., Apache, Nginx) to turn off directory indexing using directives like 'Options -Indexes' or equivalent. Additionally, implement strict access controls to restrict access to sensitive directories and files, ensuring only authorized users or processes can access them. Review and remove any unnecessary files or sensitive data from publicly accessible directories. If possible, update or patch the PHPGurukul User Registration & Login and User Management System to a version that addresses this vulnerability once available. Employ web application firewalls (WAFs) to detect and block suspicious directory enumeration attempts. Regularly audit web server configurations and conduct vulnerability scans to identify and remediate similar issues proactively. Finally, monitor logs for unusual access patterns to the /loginsystem/assets path to detect potential exploitation attempts.