CVE-2024-2563

Name of the Vulnerable Software and Affected Versions PandaXGO PandaX up to 20240310

Description A critical issue has been identified, affecting the DeleteImage function in the /apps/system/router/upload.go file. The vulnerability can be exploited by manipulating the fileName argument with a specific input, such as ../../../../../../../tmp/1.txt, leading to path traversal. The attack can be initiated remotely.

Recommendations For PandaXGO PandaX up to 20240310, consider disabling the DeleteImage function as a temporary workaround until a patch is available. Restrict access to the /apps/system/router/upload.go file to minimize the risk of exploitation. Avoid using the fileName argument in the affected function until the issue is resolved.