Aegisduck

**Name of the Vulnerable Software and Affected Versions** piSignage versions prior to 2.6.4 **Description** The issue allows a remote attacker, authenticated as a low-privilege user, to download arbitrary files from the Raspberry Pi. This is achieved through a path traversal vulnerability in the "api/settings/log" endpoint, specifically by manipulating the `file` parameter with a "../" sequence. The vulnerability is located in the player API for log download. **Recommendations** For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/settings/log" endpoint or disabling the log download feature until a patch is applied. Avoid using the `file` parameter in the affected API endpoint until the issue is resolved.