CVE-2024-31454

Name of the Vulnerable Software and Affected Versions PsiTransfer versions prior to 2.2.0

Description The issue arises from the absence of restrictions on the PATCH /files/{{id}} endpoint, which is designed for uploading files. This allows an attacker who has received the id of a file distribution to modify the files within that distribution. By sending a PATCH /files/{{id}} request with arbitrary content in the request body, an attacker can change the file with the specified id. The modified file will then be available for download by subsequent users, potentially allowing the attacker to distribute malicious or phishing content.

Recommendations For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the PATCH /files/{{id}} endpoint to prevent unauthorized file modifications.