PT-2024-14506 · Flaskcode · Flaskcode
Published
2024-01-12
·
Updated
2024-01-24
·
CVE-2023-52289
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
flaskcode versions through 0.0.8
Description
An issue was discovered that allows for unauthenticated directory traversal, which can be exploited with a POST request to the "/update-resource-data/" API endpoint. This enables attackers to write to arbitrary files.
Recommendations
For versions through 0.0.8, consider disabling the views.py file or restricting access to the "/update-resource-data/" API endpoint until a patch is available. Avoid using the
file path variable in the affected API endpoint until the issue is resolved.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flaskcode