transformeroptimus/superagi Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in the file upload feature of transformeroptimus/superagi, version 0.0.14. This vulnerability allows attackers to upload arbitrary files to the server, which could result in remote code execution or overwriting any file on the server.

Impact

Exploitation of this vulnerability could lead to remote code execution or unauthorized file overwriting on the server.

Reproduction

To reproduce this vulnerability, upload a text file through the Resource Manager's file upload feature. Intercept the request with Burp Suite and modify it to include a path traversal payload that targets the user's SSH authorized_keys file. After sending the modified request, the uploaded content will be written to the authorized_keys file, allowing SSH access to the server without a password.