Home > Vulnerability Database > CVE-2024-31450

Mend.io Vulnerability Database

CVE-2024-31450

Good to know:

Date: April 19, 2024

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.

Language: Go

Severity Score

2.7

Related Resources (8)

Url: https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/

Url: https://github.com/owncast/owncast

Url: https://securitylab.github.com/advisories/GHSL-2023-277_Owncast

Url: https://github.com/owncast/owncast/releases/tag/v0.1.3

Url: https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-31450

Url: https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e

Url: https://www.mend.io/vulnerability-database/CVE-2024-31450

Severity Score

2.7

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

Upgrade Version

Upgrade to version v0.1.3

Learn More

CVSS v3.1

Base Score:	2.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-31450

Good to know:

Date: April 19, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?