CVE-2023-47313

Name of the Vulnerable Software and Affected Versions Headwind MDM Web panel version 5.22.1

Description The issue allows for Directory Traversal, where the application's API call to move uploaded temporary files to the file directory during the file upload process is vulnerable. This API call uses two input parameters, path and localPath, with the first referring to the temporary file using an absolute path without validation. An attacker can modify this API call to refer to arbitrary files, resulting in the ability to move arbitrary files to the files directory, making them downloadable.

Recommendations For Headwind MDM Web panel version 5.22.1, as a temporary workaround, consider validating the path parameter in the API call to prevent arbitrary file movement. Restrict access to the file upload process to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.