{"uuid": "d5162901-0c1d-4139-aaf7-89fce6f1bdad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23512", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12751", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23512\n\ud83d\udd25 CVSS Score: 7.7 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)\n\ud83d\udd39 Description: MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + \"/\" + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.\n\ud83d\udccf Published: 2022-12-14T13:09:36.800Z\n\ud83d\udccf Modified: 2025-04-21T19:20:37.099Z\n\ud83d\udd17 References:\n1. https://github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27", "creation_timestamp": "2025-04-21T20:03:23.000000Z"}