CVE-2024-31453

Published: Apr 9, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which allows users to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. The vulnerability allows an attacker to influence those users who come to the file distribution after them and slip the victim files with a malicious or phishing signature. Version 2.2.0 contains a patch for the issue. CVE-2024-31453 allows users to violate the integrity of a file bucket and upload new files there, while the vulnerability with the number CVE-2024-31454 allows users to violate the integrity of a single file that is uploaded by another user by writing data there and not allows you to upload new files to the bucket. Thus, vulnerabilities are reproduced differently, require different security recommendations and affect different objects of the application’s business logic.

Vendor	Product	Versions
psi-4ward	psitransfer	affected `< 2.2.0`

Weaknesses (CWE)

CWE-434

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-xg8v-m2mh-45m6

x_refsource_CONFIRM

https://github.com/psi-4ward/psitransfer/commit/b9853c97e6911e1c1c5341245ca1eb363fda5269

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-31453

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References