mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-05-16 20:38:32 -04:00
def0c27a0e
Security impact: - Authenticated attackers could read arbitrary files on the server - Path traversal via unsanitized pic_filename parameter - Could read .env, config files, encryption keys Fix: - Apply basename() to strip directory components - Validate file extension to allowlist image types only - Add explicit error response for invalid file types CVE: Pending Affected: <= 3.4.2 Reported by: Kamran Saifullah (VulDB) Co-authored-by: Ollama <ollama@steganos.dev>
56 KiB
56 KiB