CVE-2023-23314

Name of the Vulnerable Software and Affected Versions zdir version 3.2.0

Description The issue is related to an arbitrary file upload vulnerability in the /api/upload component. This vulnerability exists due to incorrect restriction of the directory path name with limited access. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code via a crafted .ssh file. The vulnerable component is the /api/upload endpoint, and the filename variable can be used to upload malicious files.

Recommendations For zdir version 3.2.0, consider disabling the /api/upload component until a patch is available to prevent exploitation. Restrict access to the /api/upload endpoint to minimize the risk of arbitrary code execution. Avoid using the filename variable in the /api/upload endpoint until the issue is resolved.