Anushk-Fro

Name of the Vulnerable Software and Affected Versions: Convoy versions 3.9.0-rc3 through 4.4.0 Description: Convoy is a KVM server management panel for hosting businesses. A directory traversal vulnerability exists in the LocaleController component, allowing an unauthenticated remote attacker to exploit this issue by sending a specially crafted HTTP request with malicious `locale` and `namespace` parameters. This enables the attacker to include and execute arbitrary PHP files on the server. The issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints. Recommendations: For Convoy versions 3.9.0-rc3 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.