| Title | PandaX PandaX latest Arbitrary File Overwrite or Read |
|---|
| Description | The code does not check the passed `filename`. Use `../` to specify the exported excel file name and directory location across directories, which can be used to overwrite files that should not be overwritten.
Moreover, if the target file does not have write permission, `rc.Download(fileName)` will download the file again and it will become a file read. |
|---|
| Source | ⚠️ https://github.com/PandaXGO/PandaX/issues/6 |
|---|
| User | linyz-tel (UID 44909) |
|---|
| Submission | 03/10/2024 04:37 (2 years ago) |
|---|
| Moderation | 03/16/2024 08:10 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 257063 [PandaXGO PandaX up to 20240310 /apps/system/api/user.go ExportUser filename path traversal] |
|---|
| Points | 18 |
|---|