Runner361

**Name of the Vulnerable Software and Affected Versions** Beego versions 2.0.3 and below **Description** The `leafInfo.match()` function uses `path.join()` to deal with wildcard values, which can lead to cross directory risk. This issue affects the Beego framework, potentially allowing unauthorized access to files or directories. **Recommendations** For Beego versions 2.0.3 and below, consider disabling the `leafInfo.match()` function until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** beego versions prior to 1.12.9 beego versions 2.x prior to 2.0.3 **Description** The route lookup process in beego allows attackers to bypass access control by appending .xml in various places when a route is configured. For example, when a /p1/p2/:name route is configured, attackers can access it by appending .xml, such as p1.xml instead of p1. This overly-broad matching may permit an attacker to bypass access controls, such as those applied to the prefix "/a/" when the pattern "/a/b/:name" can match the URL "/a.xml/b/". **Recommendations** For beego versions prior to 1.12.9, update to version 1.12.9 or later. For beego versions 2.x prior to 2.0.3, update to version 2.0.3 or later. As a temporary workaround, consider restricting access to routes that use the :name parameter to minimize the risk of exploitation. Avoid using the `:name` parameter in routes until the issue is resolved.