Impact
pwnlift contains a symlink following flaw in the upload handler (Components/Pages/Home.razor) that operates only in privileged deployments. The weakness is a CWE-61 absolute path traversal; an attacker who can upload a crafted file can cause the application to follow a symbolic link to arbitrary files, potentially reading or overwriting sensitive data and leading to confidentiality breaches.
Affected Systems
The affected software is rasta-mouse pwnlift prior to commit d7a95449, where the upload handler follows symlinks. The flaw exists only in privileged deployments and affects all installations that have not upgraded past this commit.
Risk and Exploitability
The CVSS score is 7.4, indicating high severity. EPSS data is not available and the vulnerability implying limited known exploitation. upload endpoint, the privileged deployment. Given the high potential for unauthorized file access, the risk warrants prompt action.
OpenCVE Enrichment