| Titel | PandaX PandaX latest Arbitrary File Overwrite or Read |
|---|
| Beschreibung | The code does not check the passed `filename`. Use `../` to specify the exported excel file name and directory location across directories, which can be used to overwrite files that should not be overwritten.
Moreover, if the target file does not have write permission, `rc.Download(fileName)` will download the file again and it will become a file read. |
|---|
| Quelle | ⚠️ https://github.com/PandaXGO/PandaX/issues/6 |
|---|
| Benutzer | linyz-tel (UID 44909) |
|---|
| Einreichung | 10.03.2024 04:37 (vor 2 Jahren) |
|---|
| Moderieren | 16.03.2024 08:10 (6 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 257063 [PandaXGO PandaX bis 20240310 /apps/system/api/user.go ExportUser filename erweiterte Rechte] |
|---|
| Punkte | 18 |
|---|