ZimaOS vulnerable to Directory Listing via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

对外部实体的文件或目录可访问

ZimaOS 安全漏洞

ZimaOS是IceWhaleTech的一个开源的操作系统项目，旨在提供一个轻量级、高性能、安全的操作系统环境。 ZimaOS 1.2.4版本之前存在安全漏洞，该漏洞源于ZimaOS中的API端点/v2_1/file容易受到目录遍历攻击，允许经过身份验证的用户列出服务器上任何目录的内容。

N/A

N/A