← Back to CVEs
CVE-2023-37461
MEDIUM5.6
Description
Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE Details
CVSS v3.1 Score5.6
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published7/17/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
metersphere:metersphere
Weaknesses (CWE)
CWE-22
References
https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v(security-advisories@github.com)
https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.