Description
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin prior to 2.5.4 is vulnerable to path traversal, which leads to file upload vulnerabilities. Version 2.5.4 contains a patch for this issue. There are no workarounds aside from upgrading to a patched version.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- flipped-aurora / gin-vue-admin< 2.5.4 – < 2.5.4
References
- VENDOR_ADVISORYhttps://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-7gc4-r5jr-9hxv
- MISChttps://github.com/flipped-aurora/gin-vue-admin/issues/1263
- PATCHhttps://github.com/flipped-aurora/gin-vue-admin/pull/1264
- MISChttps://github.com/flipped-aurora/gin-vue-admin/blob/main/server/service/system/sys_auto_code.go