Unrestricted File Upload Vulnerability in PandaXGO PandaX
CVE-2024-2565

9.8CRITICAL

Key Information:

Vendor

Pandaxgo

Status
Pandax
Vendor
CVE Published:
17 March 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2024-2565?

A vulnerability was identified in the PandaXGO PandaX product, specifically within the file upload functionality located in /apps/system/router/upload.go. This weakness arises from improper handling of file extensions, which allows for unrestricted file uploads. Attackers can exploit this flaw remotely, making it possible to upload malicious files that could compromise the system integrity. The exploit has been publicly disclosed, heightening the risk for users operating under the affected version. Organizations should take immediate action to secure their systems and update to the latest versions to mitigate potential threats.

Affected Version(s)

PandaX 20240310

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2565 - Proof of Concept

References

https://vuldb.com/?id.257064
vdb-entrytechnical-description
https://vuldb.com/?ctiid.257064
signaturepermissions-required
https://github.com/PandaXGO/PandaX/issues/5
exploitissue-tracking

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

linyz-tel (VulDB User)
JSON
.
CVE-2024-2565 : Unrestricted File Upload Vulnerability in PandaXGO PandaX