First published: Thu Feb 15 2024(Updated: )
The functionality for file download in HGiga OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded.
Credit: twcert@cert.org.tw
Affected Software | Affected Version | How to fix |
---|---|---|
HGiga OAKlouds | ||
Hgiga Oaklouds Organization 2.0 | <188 | |
Hgiga Oaklouds-organization-3.0 | <188 | |
Hgiga Oaklouds Organization 2.0 | <1051 | |
Hgiga Oaklouds-webbase-3.0 | <1051 |
Update OAKlouds-organization-2.0 to 188 or later version Update OAKlouds-organization-3.0 to 188 or later version Update OAKlouds-webbase-2.0 to 1051 or later version Update OAKlouds-webbase-3.0 to 1051 or later version
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-26261 is classified as a critical vulnerability due to its potential for arbitrary file read and deletion.
To fix CVE-2024-26261, it is recommended to implement input validation and restrict access to file download functionalities.
Exploitation of CVE-2024-26261 may lead to unauthorized access to sensitive files and permanent deletion of files from the server.
CVE-2024-26261 affects various modules of the HGiga OAKlouds software, specifically versions prior to 188 for 2.0 and 3.0, as well as webbase versions prior to 1051.
No, CVE-2024-26261 allows attackers to download and delete files without any authentication.