CVE-2024-29640 — aliyundrive-webdav vulnerable to Command Injection

Description

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the `action_query_qrcode` component.

How to fix CVE-2024-29640

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

crates.io/aliyundrive-webdav—no fix listed
PyPI/aliyundrive-webdav—no fix listed

Is CVE-2024-29640 being exploited?

Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 2.3.3
from 0, <= 2.3.3

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-29640
PATCHgithub.com/messense/aliyundrive-webdav
WEBaliyundrive-webdav.com
WEBgithub.com/lakemoon602/vuln/blob/main/detail.md
WEB