We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2023-006: Download Center

2023-06-21

Severity

Important

Status

Resolved

Statement

Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions.

  • The issue has been fixed on Download Center 1.1.5.r1298 for ADM 4.2.
  • The issue has been fixed on Download Center 1.1.5.r1301 for ADM 4.0.

Affected Products

Product Severity Fixed Release Availability
Download Center on ADM 4.2 and 4.1 Important Upgrade Download Center to 1.1.5.r1298 or above.
Download Center on ADM 4.0 Important Upgrade Download Center to 1.1.5.r1301 or above.

Detail

  • CVE-2023-2749
    • Severity: High
    • CVSS3 Base Score: 8.6
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
    • Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below.

Acknowledgement

Zhiyong Xing, Inner Mongolia Xinyuan Network Security Technology Co., Ltd., China


Revision

Revision Date Description
1 2023-05-31 Initial public release.
2 2023-05-31 CVE ID (CVE-2023-2749) is assigned for the issue.
3 2023-06-01 Release Download Center 1.1.5.r1298 for ADM 4.2 to fix the issue.
4 2023-06-21 Release Download Center 1.1.5.r1301 for ADM 4.0 to fix the issue.