Cc-T-454455

**Name of the Vulnerable Software and Affected Versions** FastApiAdmin versions prior to 2.3 **Description** A weakness exists in FastApiAdmin that allows information disclosure. This is due to the manipulation of the `file path` argument within the `download controller` function located in the file `/backend/app/api/v1/module common/file/controller.py` of the Download Endpoint component. The attack can be initiated remotely, and an exploit is publicly available. **Recommendations** Update FastApiAdmin to version 2.3 or later. As a temporary workaround, restrict access to the `download controller` function until a patch is available. Avoid using the parameter `file path` in the affected API endpoint `/backend/app/api/v1/module common/file/controller.py` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FastApiAdmin versions up to 2.2.0 **Description** A flaw exists in FastApiAdmin that allows for unrestricted file uploads. This issue impacts the `upload file controller` function located in the file `/backend/app/api/v1/module system/params/controller.py` within the Scheduled Task API component. The attack can be initiated remotely. The exploit is publicly available. **Recommendations** Versions prior to 2.2.0 should be updated. As a temporary workaround, consider restricting access to the `upload file controller` function until a patch is available.