{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60325?format=json","vulnerability_id":"VCID-pznq-z3h4-aqba","summary":"The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.","aliases":[{"alias":"CVE-2024-11311"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html","reference_id":"cp-132-8246-d462a-1.html","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-18T13:46:09Z/"}],"url":"https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html"},{"reference_url":"https://www.twcert.org.tw/en/cp-139-8247-83457-2.html","reference_id":"cp-139-8247-83457-2.html","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-11-18T13:46:09Z/"}],"url":"https://www.twcert.org.tw/en/cp-139-8247-83457-2.html"}],"weaknesses":[{"cwe_id":23,"name":"Relative Path Traversal","description":"The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory."},{"cwe_id":434,"name":"Unrestricted Upload of File with Dangerous Type","description":"The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment."}],"exploits":[],"severity_range_score":"9.8 - 9.8","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pznq-z3h4-aqba"}