<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fireshare - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/fireshare/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/fireshare/feed.xml" rel="self" type="application/rss+xml"/><item><title>Fireshare 1.5.1 Authenticated Path Traversal Vulnerability (CVE-2026-33645)</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-fireshare-path-traversal/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-fireshare-path-traversal/</guid><description>Fireshare version 1.5.1 is vulnerable to an authenticated path traversal, allowing attackers to write arbitrary files outside the intended upload directory due to insufficient sanitization of the `checkSum` field in the chunked upload endpoint.</description><content:encoded><![CDATA[<p>Fireshare, a self-hosted media and link sharing platform, is susceptible to a critical path traversal vulnerability in version 1.5.1. This flaw, identified as CVE-2026-33645, resides within the chunked upload endpoint. By manipulating the <code>checkSum</code> multipart field, an authenticated attacker can write arbitrary files to locations outside of the designated upload directory. The vulnerability stems from the direct use of the <code>checkSum</code> field in filesystem path construction without proper sanitization or containment checks. Successful exploitation allows writing to any path writable by the Fireshare process (e.g., <code>/tmp</code> in containerized deployments), enabling potential compromise and follow-on attacks. Upgrading to version 1.5.2 resolves this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker authenticates to the Fireshare application.</li>
<li>Attacker initiates a chunked file upload to the vulnerable endpoint.</li>
<li>Attacker crafts a malicious HTTP POST request with a <code>checkSum</code> multipart field containing a path traversal payload (e.g., <code>../../../tmp/evil.sh</code>).</li>
<li>The Fireshare server processes the request and constructs the file path using the unsanitized <code>checkSum</code> value.</li>
<li>The server writes the uploaded chunk to the attacker-specified location (e.g., <code>/tmp/evil.sh</code>).</li>
<li>Attacker uploads the complete malicious file through subsequent chunked upload requests.</li>
<li>Attacker executes the uploaded file through other means, such as a web shell or command injection vulnerability (out of scope).</li>
<li>Attacker achieves arbitrary code execution on the server, potentially leading to privilege escalation or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this path traversal vulnerability (CVE-2026-33645) in Fireshare 1.5.1 allows attackers to write arbitrary files to sensitive locations. This could lead to complete compromise of the Fireshare instance, including the ability to execute arbitrary code. Depending on the deployment environment (e.g., containerized), this may also lead to host compromise. Without specific figures, the potential number of affected installations depends on the adoption rate of Fireshare 1.5.1 before patching.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Fireshare installations to version 1.5.2 or later to remediate CVE-2026-33645.</li>
<li>Implement the provided Sigma rule <code>Fireshare Suspicious File Upload Path</code> to detect attempts to exploit this vulnerability via web server logs.</li>
<li>Monitor web server logs for POST requests to the chunked upload endpoint with suspicious path traversal sequences in the <code>cs-uri-query</code> field using the same Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>web-application</category><category>fireshare</category></item></channel></rss>