CVE-2023-46863

Name of the Vulnerable Software and Affected Versions Peppermint Ticket Management versions prior to 0.2.4

Description The issue allows remote attackers to read arbitrary files via a "/api/v1/users/file/download?filepath=./../" POST request. This is a significant security concern as it potentially exposes sensitive data.

Recommendations For versions prior to 0.2.4, update to version 0.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/users/file/download" API endpoint until the update is applied. Avoid using the filepath variable in the affected API endpoint with relative paths that can be manipulated to access files outside the intended directory.