Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
AstrBot 安全漏洞
Vulnerability Description
AstrBot是AstrBot开源的一个多平台 LLM 聊天机器人及开发框架。 AstrBot v3.5.22版本存在安全漏洞,该漏洞源于对文件/plugin/install-upload中参数filename的错误操作,可能导致目录遍历攻击。
CVSS Information
N/A
Vulnerability Type
N/A