{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-2565","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2024-03-16T07:10:19.474Z","datePublished":"2024-03-17T14:31:04.357Z","dateUpdated":"2024-08-12T15:52:09.649Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2024-03-17T14:31:04.357Z"},"title":"PandaXGO PandaX File Extension upload.go unrestricted upload","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-434","lang":"en","description":"CWE-434 Unrestricted Upload"}]}],"affected":[{"vendor":"PandaXGO","product":"PandaX","versions":[{"version":"20240310","status":"affected"}],"modules":["File Extension Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257064."},{"lang":"de","value":"Es wurde eine kritische Schwachstelle in PandaXGO PandaX bis 20240310 ausgemacht. Betroffen hiervon ist ein unbekannter Ablauf der Datei /apps/system/router/upload.go der Komponente File Extension Handler. Mittels dem Manipulieren des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}}],"timeline":[{"time":"2024-03-16T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2024-03-16T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2024-03-16T08:15:30.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"linyz-tel (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.257064","name":"VDB-257064 | PandaXGO PandaX File Extension upload.go unrestricted upload","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.257064","name":"VDB-257064 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://github.com/PandaXGO/PandaX/issues/5","tags":["exploit","issue-tracking"]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T19:18:48.262Z"},"title":"CVE Program Container","references":[{"url":"https://vuldb.com/?id.257064","name":"VDB-257064 | PandaXGO PandaX File Extension upload.go unrestricted upload","tags":["vdb-entry","technical-description","x_transferred"]},{"url":"https://vuldb.com/?ctiid.257064","name":"VDB-257064 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required","x_transferred"]},{"url":"https://github.com/PandaXGO/PandaX/issues/5","tags":["exploit","issue-tracking","x_transferred"]}]},{"affected":[{"vendor":"panda_xgo","product":"pandax","cpes":["cpe:2.3:a:panda_xgo:pandax:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"20240310","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-03-18T15:04:53.666645Z","id":"CVE-2024-2565","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-12T15:52:09.649Z"}}]}}