CVE-2023-37461

Name of the Vulnerable Software and Affected Versions Metersphere versions prior to 2.10.3

Description Metersphere is an open-source testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause Metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the Metersphere process has access to.

Recommendations For versions prior to 2.10.3, upgrade to version 2.10.3 to address the issue. As a temporary workaround, consider restricting file uploads or limiting access to sensitive files until the upgrade is applied.