CVE-2024-10948

Name of the Vulnerable Software and Affected Versions binary-husky/gpt academic (affected versions not specified)

Description A vulnerability in the upload function allows any user to read arbitrary files on the system, including sensitive files such as config.py. An attacker can exploit this issue by intercepting the websocket request during file upload and replacing the file path with the path of the file they wish to read. The server then copies the file to the private upload folder and provides the path to the copied file, which can be accessed via a GET request. This can lead to the exposure of sensitive system files, potentially including credentials, configuration files, or sensitive user data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.