Zeroinfinitylab

**Name of the Vulnerable Software and Affected Versions** Iris versions prior to 2.4.24 **Description** Iris is a web collaborative platform used by incident responders to share technical details during investigations. The DFIR-IRIS datastore file management system has an issue where authenticated users can delete arbitrary filesystem paths. This is due to mass assignment of the `file local name` field combined with a lack of path validation in the delete operation. The issue can be exploited through a three-step process: uploading a file, modifying the `file local name` field to point to a target filesystem path, and then triggering the delete operation. **Recommendations** Update Iris to version 2.4.24 or later.