PT-2023-6804 · Zdir · Zdir

Yuyan-Sec

Published

2023-01-10

Updated

2025-04-02

CVE-2023-23314

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions zdir version 3.2.0

Description The issue is related to an arbitrary file upload vulnerability in the /api/upload component. This vulnerability exists due to incorrect restriction of the directory path name with limited access. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code via a crafted .ssh file. The vulnerable component is the /api/upload endpoint, and the filename variable can be used to upload malicious files.

Recommendations For zdir version 3.2.0, consider disabling the /api/upload component until a patch is available to prevent exploitation. Restrict access to the /api/upload endpoint to minimize the risk of arbitrary code execution. Avoid using the filename variable in the /api/upload endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2023-07672

CVE-2023-23314

Affected Products

Zdir

PT-2023-6804 · Zdir · Zdir

CVE-2023-23314

Weakness Enumeration

Related Identifiers

Affected Products

References · 8