Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-19T18:59:19.526Z

Updated: 2024-08-02T01:52:56.997Z

Reserved: 2024-04-03T17:55:32.646Z

Link: CVE-2024-31450

cve-icon Vulnrichment

Updated: 2024-04-19T23:34:58.164Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-19T19:15:06.873

Modified: 2024-11-21T09:13:32.687

Link: CVE-2024-31450

cve-icon Redhat

No data.