CVE-2024-54373 is a path traversal vulnerability identified in the EduAdmin Booking software developed by Chris Gardenberg, affecting all versions up to and including 5.2.0. The vulnerability arises due to improper limitation of pathname inputs, which allows attackers to manipulate file paths to access files outside the intended restricted directories. This flaw enables PHP Local File Inclusion (LFI), a critical security issue where an attacker can include and execute arbitrary PHP files on the server. Such exploitation can lead to unauthorized disclosure of sensitive data, remote code execution, and potential full system compromise. The vulnerability does not require known authentication or user interaction, increasing its risk profile. Although no public exploits are currently known, the nature of LFI vulnerabilities makes them attractive targets for attackers. The vulnerability was reserved in early December 2024 and published mid-December 2024, with no CVSS score assigned yet and no official patches publicly available at the time of this report. The affected product is primarily used in educational environments for booking management, which may contain sensitive student and institutional data. The lack of patch links suggests that mitigation currently relies on workarounds or vendor advisories.

The impact of CVE-2024-54373 is significant for organizations using EduAdmin Booking software. Successful exploitation can lead to unauthorized access to sensitive files, including configuration files, credentials, and private data, compromising confidentiality. The ability to include and execute arbitrary PHP code can result in full system compromise, allowing attackers to manipulate data, disrupt services, or pivot to other network segments, thus affecting integrity and availability. Educational institutions are particularly vulnerable due to the sensitive nature of their data and the critical role of booking systems in their operations. The vulnerability's ease of exploitation without authentication increases the risk of widespread attacks. Organizations worldwide using this software face potential data breaches, operational disruptions, and reputational damage if exploited.

To mitigate CVE-2024-54373, organizations should immediately restrict file system permissions to limit the web server's access to only necessary directories, minimizing the impact of path traversal attempts. Implement strict input validation and sanitization on all user-supplied parameters that influence file paths, ensuring that directory traversal sequences (e.g., '../') are blocked or properly handled. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal and LFI attack patterns. Monitor logs for suspicious file access attempts and anomalous behavior indicative of exploitation. Coordinate with the software vendor for timely patch releases and apply updates as soon as they become available. As a temporary measure, disable or restrict PHP functions that facilitate file inclusion if feasible. Conduct regular security assessments and penetration testing focused on file inclusion vulnerabilities to identify and remediate weaknesses proactively.