Impact
The vulnerability in Filestash v0.4.0 stems from incorrect access control in the /admin/api/config endpoint, which permits an attacker to elevate privileges by sending a crafted request. This flaw is a classic misconfiguration of access control (CWE-284) that can lead to unauthorized actions. The vulnerability can allow a non‑admin user to perform privileged administrative tasks, potentially compromising confidentiality, integrity, and availability of the system.
Affected Systems
Filestash, version 0.4.0. No other versions were mentioned or listed as affected in the available information. The vulnerability is specific to the admin API configuration component and is not reported to affect earlier or later releases according to the data provided.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score is very low (< 1%), suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA's KEV, meaning it has not been confirmed as widely exploited. The likely attack vector is via remote access to the Filestash server, as the /admin/api/config endpoint is an HTTP API. Attackers would need to craft a request that bypasses the incorrect access control and may succeed from a remote context if the endpoint is exposed. The risk remains significant due to the high severity, but exploitation likelihood is modest.
OpenCVE Enrichment