PT-2024-28744 · Supos · Supos
Published
2024-07-04
·
Updated
2025-11-10
·
CVE-2024-39937
CVSS v3.1
8.6
High
| Vector | AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:N |
Name of the Vulnerable Software and Affected Versions
supOS version 5.0
Description
The issue allows directory traversal for reading files via the "api/image/download" endpoint, specifically when the
fileName parameter contains ../. This enables unauthorized access to files on the system.Recommendations
For supOS version 5.0, as a temporary workaround, consider restricting access to the "api/image/download" endpoint until a patch is available. Additionally, avoid using the
fileName parameter with ../ in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Supos