漏洞标题
PsiTransfer容易受到文件分发完整性破坏的攻击
漏洞描述信息
PsiTransfer是一个开源的自托管文件共享解决方案。在2.2.0版本之前,由于文件分发中上传文件路径创建的端点缺乏限制,攻击者可以向分发中任意添加文件。此漏洞允许攻击者影响之后访问文件分发的用户,将带有恶意或钓鱼签名的受害者文件混入其中。版本2.2.0包含对此问题的补丁。
CVE-2024-31453允许用户破坏文件桶的完整性并在其中上传新文件,而编号为CVE-2024-31454的漏洞允许用户通过在他人上传的单个文件中写入数据来破坏其完整性,但不允许在桶中上传新文件。因此,这些漏洞的复现方式不同,需要不同的安全建议,且影响应用程序业务逻辑的不同对象。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
漏洞类别
危险类型文件的不加限制上传
漏洞标题
PsiTransfer vulnerable to violation of the integrity of file distribution
漏洞描述信息
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which allows users to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. The vulnerability allows an attacker to influence those users who come to the file distribution after them and slip the victim files with a malicious or phishing signature. Version 2.2.0 contains a patch for the issue.
CVE-2024-31453 allows users to violate the integrity of a file bucket and upload new files there, while the vulnerability with the number CVE-2024-31454 allows users to violate the integrity of a single file that is uploaded by another user by writing data there and not allows you to upload new files to the bucket. Thus, vulnerabilities are reproduced differently, require different security recommendations and affect different objects of the application’s business logic.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
漏洞类别
危险类型文件的不加限制上传
漏洞标题
PsiTransfer 安全漏洞
漏洞描述信息
PsiTransfer是Christoph Wiechert个人开发者的一个简单的开源自托管文件共享解决方案。 PsiTransfer 2.2.0 之前版本存在安全漏洞,该漏洞源于端点没有限制,允许用户在文件分发中创建上传文件的路径,攻击者利用该漏洞可以添加任意文件到分发,并使用恶意或网络钓鱼签名来窃取受害者文件。
CVSS信息
N/A
漏洞类别
其他