{"id":"GHSA-6h8w-hrfp-pffx","summary":"Plenti arbitrary file deletion vulnerability","details":"Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability.","aliases":["CVE-2024-49381","GO-2024-3214"],"modified":"2024-10-31T22:12:42.907388Z","published":"2024-10-31T21:49:42Z","database_specific":{"severity":"HIGH","nvd_published_at":"2024-10-25T14:15:12Z","cwe_ids":["CWE-74"],"github_reviewed":true,"github_reviewed_at":"2024-10-31T21:49:42Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49381"},{"type":"PACKAGE","url":"https://github.com/plentico/plenti"},{"type":"WEB","url":"https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205"},{"type":"WEB","url":"https://github.com/plentico/plenti/releases/tag/v0.7.2"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti"}],"affected":[{"package":{"name":"github.com/plentico/plenti","ecosystem":"Go","purl":"pkg:golang/github.com/plentico/plenti"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.7.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6h8w-hrfp-pffx/GHSA-6h8w-hrfp-pffx.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}]}