Description
Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Atheos/Atheos/security/advisories/GHSA-rgjm-6p59-537v
Scores
CVSS v3
9.1
EPSS
0.0009
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-434
CWE-94
Status
published
Products (1)
Atheos/Atheos
< 600
Published
Jan 10, 2025
Tracked Since
Feb 18, 2026