Cp0204

**Name of the Vulnerable Software and Affected Versions** CasaOS-UserService versions prior to 0.4.7 **Description** The issue concerns a path traversal vulnerability in the UserService API, which allows an unauthorized actor to access any file on the system due to insufficient path filtering for user avatar image files. This could lead to the exposure of sensitive data, such as the CasaOS user database, and potentially result in privilege escalation to system root privileges. The vulnerability can be exploited by constructing paths to access arbitrary files, as demonstrated by the API endpoint "/v1/users/image" with a vulnerable `path` parameter. **Recommendations** For versions prior to 0.4.7, update to version 0.4.7 to fix the issue. As a temporary workaround, consider restricting access to the `/v1/users/image` API endpoint until the update can be applied. Additionally, avoid using the `path` parameter in the affected API endpoint until the issue is resolved.