CVE-2022-28052

Name of the Vulnerable Software and Affected Versions Roothub version 2.6.0

Description The issue allows remote attackers with low privilege to arbitrarily upload files via the "/common/upload" API endpoint, which could lead to remote arbitrary code execution. This is due to a Directory Traversal vulnerability in the file cn/roothub/store/FileSystemStorageService in the store function.

Recommendations For Roothub version 2.6.0, consider disabling the store function in the FileSystemStorageService file as a temporary workaround until a patch is available. Restrict access to the "/common/upload" API endpoint to minimize the risk of exploitation.