CVE-2024-29196

Description

### Summary There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. ### PoC 1. In settings, the attachment location is vulnerable to path traversal and can be set to e.g ..\hacked ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/6167ba74-254c-4aed-9c16-759e5ceafd81) 2. When the above is set, attachments files are now uploaded to e.g C:\Apps\XAMPP\htdocs\hacked instead of C:\Apps\XAMPP\htdocs\phpmyfaq\attachments 3. Verify this by uploading an attachment and see that the "hacked" directory is now created in the web root folder with the attachment file inside. ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/325df0cc-e9ee-48bd-a7bb-1295199b4d9e) ![image](https://github.com/thorsten/phpMyFAQ/assets/63487456/beb10a6a-9d56-4607-8da6-49581991b1fe) ### Impact Attackers can potentially upload malicious files outside the specified directory.

How to fix CVE-2024-29196

To remediate CVE-2024-29196, upgrade the affected package to a fixed version below.

—upgrade to 3.2.6 or later

Is CVE-2024-29196 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.2.5, < 3.2.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N