Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Vulnerability Description
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Owncast 安全漏洞
Vulnerability Description
Owncast是一个开源、自托管、去中心化、单用户实时视频流和聊天服务器。 Owncast 0.1.3之前版本存在安全漏洞,该漏洞源于Owncast 应用程序在 /api/admin 公开管理员 API,攻击者利用该漏洞可以删除系统上 emoji 目录之外的任意文件。
CVSS Information
N/A
Vulnerability Type
N/A