CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2565 – PandaXGO PandaX File Extension upload.go unrestricted upload
https://notcve.org/view.php?id=CVE-2024-2565
17 Mar 2024 — A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. • https://github.com/PandaXGO/PandaX/issues/5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2564 – PandaXGO PandaX user.go ExportUser path traversal
https://notcve.org/view.php?id=CVE-2024-2564
17 Mar 2024 — A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: '../filedir'. The attack may be initiated remotely. • https://github.com/PandaXGO/PandaX/issues/6 • CWE-24: Path Traversal: '../filedir' •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 1CVE-2024-2563 – PandaXGO PandaX upload.go DeleteImage path traversal
https://notcve.org/view.php?id=CVE-2024-2563
17 Mar 2024 — A vulnerability has been found in PandaXGO PandaX up to 20240310 and classified as critical. This vulnerability affects the function DeleteImage of the file /apps/system/router/upload.go. The manipulation of the argument fileName with the input ../../../../../../../../../tmp/1.txt leads to path traversal: '../filedir'. • https://github.com/PandaXGO/PandaX/pull/3 • CWE-24: Path Traversal: '../filedir' •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2562 – PandaXGO PandaX role_menu.go InsertRole sql injection
https://notcve.org/view.php?id=CVE-2024-2562
17 Mar 2024 — A vulnerability, which was classified as critical, was found in PandaXGO PandaX up to 20240310. This affects the function InsertRole of the file /apps/system/services/role_menu.go. The manipulation of the argument roleKey leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/PandaXGO/PandaX/issues/4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •