Release v0.2.15 - Security Release · ErugoOSS/Erugo

Security Release

This release fixes critical path traversal vulnerabilities that could allow authenticated users to write files to arbitrary locations on the server, leading to Remote Code Execution (RCE).

Security Fixes

UploadsController: Sanitize filePaths input and validate resolved paths stay within share directory
TusdHooksController: Sanitize bundle manifest paths and validate extraction paths
EmailTemplatesController: Validate template IDs to prevent path traversal

Security Advisory

Advisory: GHSA-336w-hgpq-6369
Severity: Critical
Affected versions: <=0.2.14

Upgrade Instructions

All users running Erugo v0.2.14 or earlier should upgrade immediately.

Credits

Thanks to Leon Phan of AWARE7 GmbH for responsibly disclosing this vulnerability.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v0.2.15 - Security Release

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Security Release

Security Fixes

Security Advisory

Upgrade Instructions

Credits

Uh oh!