CVE-2024-0882

Name of the Vulnerable Software and Affected Versions qwdigital LinkWechat version 5.1.0

Description A vulnerability was found in qwdigital LinkWechat, affecting an unknown part of the file /linkwechat-api/common/download/resource of the component Universal Download Interface. The manipulation of the name argument with the input /profile/../../../../../etc/passwd leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Recommendations For qwdigital LinkWechat version 5.1.0, as a temporary workaround, consider restricting access to the /linkwechat-api/common/download/resource endpoint until a patch is available. Avoid using the name argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.