github.com/pterodactyl/wingso is vulnerable to Arbitrary File Deletion. A remote authenticated attacker is able to delete files and directories recursively on the host system via the vulnerable Delete
function of filesystem.go
. This vulnerability can further be exploited to overwrite existing files by combining it with CVE-2023-25152
.
github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
github.com/pterodactyl/wings/commit/dcbc59790db8d12bc256e69cc46a8123bd514fab
github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63
github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5
github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5