CVE-2021-29246

Name of the Vulnerable Software and Affected Versions: BTCPay Server versions 1.0.0 through 1.0.7.0

Description: The issue allows an attacker with admin privileges to achieve code execution through directory traversal. This is done by crafting a malicious plugin file with special characters to upload the file outside of the restricted directory.

Recommendations: For BTCPay Server versions 1.0.0 through 1.0.7.0, consider disabling the plugin upload feature until a patch is available to prevent potential code execution. Restrict access to the admin panel to minimize the risk of exploitation by unauthorized users. Avoid using special characters in plugin file names to reduce the risk of directory traversal. At the moment, there is no information about a newer version that contains a fix for this vulnerability.