Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ZimaOS: Unauthorized Creation of Files/Folders in Restricted System Directories via API
Vulnerability Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
ZimaOS 安全漏洞
Vulnerability Description
ZimaOS是IceWhaleTech的一个开源的操作系统项目,旨在提供一个轻量级、高性能、安全的操作系统环境。 ZimaOS 1.5.2-beta3版本存在安全漏洞,该漏洞源于API未正确验证目标路径,可能导致在敏感系统目录中创建文件或目录。
CVSS Information
N/A
Vulnerability Type
N/A