Psitransfer
Monthly
Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.
Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.