CVE-2024-2564

Name of the Vulnerable Software and Affected Versions PandaXGO PandaX up to 20240310

Description A critical issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal, allowing an attacker to access files outside the intended directory, such as '../filedir'. This issue can be exploited remotely.

Recommendations For PandaXGO PandaX up to 20240310, as a temporary workaround, consider disabling the ExportUser function until a patch is available. Restrict access to the /apps/system/api/user.go file to minimize the risk of exploitation. Avoid using the filename argument in the affected API endpoint until the issue is resolved.