Ahmetak4N

Name of the Vulnerable Software and Affected Versions: Plenti versions 0.7.16 and earlier Description: The issue allows code execution when users upload '.svelte' files with the /postLocal endpoint and define the file name as javascript codes. The server executes the uploaded file name, causing code execution. This can lead to a Denial of Service impact due to the sandboxing. If there is a vulnerability in v8go that allows escaping the sandbox, different impacts can be shown. Recommendations: For Plenti versions 0.7.16 and earlier, as a temporary workaround, consider restricting access to the /postLocal endpoint to minimize the risk of exploitation. Avoid using the `file` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.