| 제목 | PandaX PandaX latest Arbitrary File Overwrite or Read |
|---|
| 설명 | The code does not check the passed `filename`. Use `../` to specify the exported excel file name and directory location across directories, which can be used to overwrite files that should not be overwritten.
Moreover, if the target file does not have write permission, `rc.Download(fileName)` will download the file again and it will become a file read. |
|---|
| 원천 | ⚠️ https://github.com/PandaXGO/PandaX/issues/6 |
|---|
| 사용자 | linyz-tel (UID 44909) |
|---|
| 제출 | 2024. 03. 10. AM 04:37 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 03. 16. AM 08:10 (6 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 257063 [PandaXGO PandaX 까지 20240310 /apps/system/api/user.go ExportUser filename 권한 상승] |
|---|
| 포인트들 | 18 |
|---|