Published on February 15, 2024, CVE-2024-26261 exposes a critical vulnerability in HGiga OAKlouds. This flaw resides in the file download functionality within certain modules, allowing attackers to execute Arbitrary File Read and Delete actions without requiring authentication. By manipulating specific request parameters with a file path, malicious actors can download sensitive files and subsequently delete them, posing a severe security risk to affected systems.
The vulnerability holds a CVSS base score of 9.8, categorizing it as critical. The Common Vulnerabilities and Exposures (CVE) identifies it as a Directory Traversal issue (CWE-22), specifically noting improper limitations on a pathname, enabling unauthorized access to files outside the intended directory. The Taiwan Computer Emergency Response Team Coordination Center (TWCERT/CC) detected and reported this vulnerability.
Affected are versions of the OAKlouds Portal before 1051, according to preliminary information. Users and administrators are strongly advised to visit TWCERT/CC for comprehensive details and guidance on mitigating this security risk. Given the high exploitability score of 3.9, immediate attention and application of security updates are crucial to prevent potential exploitation of this critical vulnerability.
