CVE-2024-3227

Name of the Vulnerable Software and Affected Versions Panwei eoffice OA versions up to 9.5

Description A critical issue affects the Backend component of the software, specifically the file /general/system/interface/theme set/save image.php. The manipulation of the image type argument leads to path traversal, allowing an attacker to access files using '../filedir'. This issue can be exploited remotely. The exploit has been publicly disclosed.

Recommendations For versions up to 9.5, consider disabling the save image.php function in the /general/system/interface/theme set/ directory until a patch is available. Restrict access to the vulnerable Backend component to minimize the risk of exploitation. Avoid using the image type argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.