Shadowsock5

**Name of the Vulnerable Software and Affected Versions** Jmix versions 1.0.0 through 1.6.1 Jmix versions 2.0.0 through 2.3.4 **Description** The issue allows attackers to manipulate the `fileRef` parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the `FileRef` directly in the database or by supplying a harmful value in the `fileRef` parameter of the "/files" endpoint of the generic REST API. **Recommendations** For versions 1.0.0 through 1.6.1, update to version 1.6.2. For versions 2.0.0 through 2.3.4, update to version 2.4.0. As a temporary workaround, consider restricting access to the `/files` endpoint of the generic REST API until a patch is available. Avoid using harmful values in the `fileRef` parameter until the issue is resolved.