CVE-2024-57189: 
JavaScript vulnerability analysis and mitigation

CVE-2024-57189 is a Path Traversal vulnerability discovered in Erxes versions prior to 1.6.2. The vulnerability exists in the importHistoriesCreate GraphQL mutation handler, where an authenticated attacker can write to arbitrary files on the system (Sonar Blog, NVD).

The vulnerability stems from insufficient path validation in the importHistoriesCreate GraphQL mutation handler. When AWS S3 storage is configured, the service downloads files from S3 to the local filesystem using unsanitized user-controlled filenames. This allows an attacker to use path traversal sequences (../) to write files to arbitrary locations on the system (Sonar Blog).

An authenticated attacker could exploit this vulnerability to write arbitrary files anywhere on the system. When combined with other vulnerabilities, this could lead to remote code execution by overwriting critical files such as /data/enabled-services.js that get executed by the services (Sonar Blog).

The vulnerability has been patched in Erxes version 1.6.2 by implementing proper filename sanitization to remove unwanted characters from user-controlled filenames. Users are advised to upgrade to version 1.6.3 or later to receive all security fixes (Sonar Blog).

The vulnerability was responsibly disclosed by SonarSource researchers to the Erxes team on October 6, 2023. After the initial 90-day disclosure deadline elapsed, Erxes addressed the vulnerabilities through multiple releases, culminating in version 1.6.3 which contains all security fixes (Sonar Blog).