CVE-2024-31457

Name of the Vulnerable Software and Affected Versions gin-vue-admin versions 2.6.1 and earlier

Description The issue is a code injection vulnerability in the backend of gin-vue-admin, specifically in the Plugin System -> Plugin Template feature. An attacker can perform directory traversal by manipulating the plugName parameter, allowing them to create specific folders and insert arbitrary code into Go files within those folders. The vulnerability exists due to the controllability of the plugName field within the struct.

Recommendations For gin-vue-admin version 2.6.1, update to a version that contains the patch for this issue, specifically pseudoversion 0.0.0-20240409100909-b1b7427c6ea6 or later. As a temporary workaround for versions prior to the fixed version, consider using a filtering method to rectify the directory traversal problem, such as checking for the presence of ".." in the plugPath variable.