Search
Total
502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-18191 | 1 Get-simple | 1 Getsimplecms | 2020-10-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| GetSimpleCMS-3.3.15 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /GetSimpleCMS-3.3.15/admin/log.php | |||||
| CVE-2020-21522 | 1 Halo | 1 Halo | 2020-10-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in halo V1.1.3. A Zip Slip Directory Traversal Vulnerability in the backend,the attacker can overwrite some files, such as ftl files, .bashrc files in the user directory, and finally get the permissions of the operating system. | |||||
| CVE-2020-18190 | 1 Bludit | 1 Bludit | 2020-10-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| Bludit v3.8.1 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /admin/ajax/upload-profile-picture. | |||||
| CVE-2020-21526 | 1 Halo | 1 Halo | 2020-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it. | |||||
| CVE-2019-1620 | 1 Cisco | 1 Data Center Network Manager | 2020-10-06 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device. | |||||
| CVE-2020-24626 | 1 Hpe | 1 Utility Computing Service Meter | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| Unathenticated directory traversal in the ReceiverServlet class doPost() method can lead to arbitrary remote code execution in HPE Pay Per Use (PPU) Utility Computing Service (UCS) Meter version 1.9. | |||||
| CVE-2020-12640 | 1 Roundcube | 1 Webmail | 2020-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | |||||
| CVE-2020-15182 | 2 Soy Cms Project, Soy Inquiry Project | 2 Soy Cms, Soy Inquiry | 2020-09-23 | 6.8 MEDIUM | 9.6 CRITICAL |
| The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328. | |||||
| CVE-2020-7521 | 1 Schneider-electric | 1 Apc Easy Ups Online Software | 2020-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in SFAPV9601 - APC Easy UPS On-Line Software (V2.0 and earlier) when accessing a vulnerable method of `FileUploadServlet` which may lead to uploading executable files to non-specified directories. | |||||
| CVE-2020-7522 | 1 Schneider-electric | 1 Apc Easy Ups Online Software | 2020-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in SFAPV9601 - APC Easy UPS On-Line Software (V2.0 and earlier) when accessing a vulnerable method of `SoundUploadServlet` which may lead to uploading executable files to non-specified directories. | |||||
| CVE-2019-8074 | 1 Adobe | 1 Coldfusion | 2020-09-04 | 10.0 HIGH | 9.8 CRITICAL |
| ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user. | |||||
| CVE-2020-15639 | 1 Marvell | 1 Qconvergeconsole | 2020-09-03 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Authentication is not required to exploit this vulnerability. The specific flaw exists within the decryptFile method of the FlashValidatorServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10496. | |||||
| CVE-2020-7376 | 1 Rapid7 | 1 Metasploit | 2020-09-02 | 10.0 HIGH | 9.8 CRITICAL |
| The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host. | |||||
| CVE-2020-16245 | 1 Advantech | 1 Iview | 2020-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech iView, Versions 5.7 and prior. The affected product is vulnerable to path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code. | |||||
| CVE-2019-8395 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | |||||
| CVE-2019-11231 | 1 Get-simple | 1 Getsimple Cms | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content. | |||||
| CVE-2019-1010257 | 1 Article2pdf Project | 1 Article2pdf | 2020-08-24 | 7.5 HIGH | 9.1 CRITICAL |
| An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. A URL can be constructed which allows overriding the PDF file's path leading to any PDF whose path is known and which is readable to the web server can be downloaded. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension. | |||||
| CVE-2019-12277 | 1 Blogifier | 1 Blogifier | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname. | |||||
| CVE-2019-1010151 | 1 Zzcms | 1 Zzmcms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php. | |||||
| CVE-2019-11510 | 1 Pulsesecure | 1 Pulse Connect Secure | 2020-08-24 | 7.5 HIGH | 10.0 CRITICAL |
| In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | |||||
| CVE-2019-15039 | 1 Jetbrains | 1 Teamcity | 2020-08-24 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1. | |||||
| CVE-2019-17662 | 1 Cybelsoft | 1 Thinvnc | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. | |||||
| CVE-2019-19374 | 1 Squiz | 1 Matrix | 2020-08-24 | 7.5 HIGH | 9.1 CRITICAL |
| An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the server during interaction with the File Upload field type, when a custom form exists. (This is related to an information disclosure issue within the File Upload field type that allows users to view the full path to uploaded files, including the product's web root directory.) | |||||
| CVE-2018-16367 | 1 Qduoj | 1 Onlinejudge | 2020-08-24 | 9.0 HIGH | 9.9 CRITICAL |
| In OnlineJudge 2.0, the sandbox has an incorrect access control vulnerability that can write a file anywhere. A user can write a directory listing to /tmp, and can leak file data with a #include. | |||||
| CVE-2019-9960 | 1 Limesurvey | 1 Limesurvey | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path. | |||||
| CVE-2019-9618 | 1 Gracemedia Media Player Project | 1 Gracemedia Media Player | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter. | |||||
| CVE-2019-4716 | 1 Ibm | 1 Planning Analytics | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. | |||||
| CVE-2019-10197 | 3 Canonical, Debian, Samba | 3 Ubuntu Linux, Debian Linux, Samba | 2020-08-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside the share. | |||||
| CVE-2017-17671 | 2 Microsoft, Vbulletin | 2 Windows, Vbulletin | 2020-08-14 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file. | |||||
| CVE-2020-13376 | 1 Securenvoy | 1 Securmail | 2020-08-12 | 9.3 HIGH | 9.0 CRITICAL |
| SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie. | |||||
| CVE-2020-5609 | 1 Yokogawa | 8 B\/m9000cs, B\/m9000cs Firmware, B\/m9000vp and 5 more | 2020-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to create or overwrite arbitrary files and run arbitrary commands via unspecified vectors. | |||||
| CVE-2018-1000550 | 2 Debian, Sympa | 2 Debian Linux, Sympa | 2020-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| The Sympa Community Sympa version prior to version 6.2.32 contains a Directory Traversal vulnerability in wwsympa.fcgi template editing function that can result in Possibility to create or modify files on the server filesystem. This attack appear to be exploitable via HTTP GET/POST request. This vulnerability appears to have been fixed in 6.2.32. | |||||
| CVE-2020-15492 | 1 Inneo | 1 Startup Tools | 2020-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact. | |||||
| CVE-2017-1000501 | 2 Awstats, Debian | 2 Awstats, Debian Linux | 2020-07-27 | 7.5 HIGH | 9.8 CRITICAL |
| Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. | |||||
| CVE-2020-7684 | 1 Rollup-plugin-serve Project | 1 Rollup-plugin-serve | 2020-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation. | |||||
| CVE-2016-7063 | 1 Pritunl | 1 Pritunl-client | 2020-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in pritunl-client before version 1.0.1116.6. Arbitrary write to user specified path may lead to privilege escalation. | |||||
| CVE-2020-14507 | 1 Advantech | 1 Iview | 2020-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech iView, versions 5.6 and prior, is vulnerable to multiple path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code. | |||||
| CVE-2019-7267 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2020-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| Linear eMerge 50P/5000P devices allow Cookie Path Traversal. | |||||
| CVE-2017-1000047 | 1 Rbenv Project | 1 Rbenv | 2020-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| rbenv (all current versions) is vulnerable to Directory Traversal in the specification of Ruby version resulting in arbitrary code execution | |||||
| CVE-2017-18912 | 1 Mattermost | 1 Mattermost Server | 2020-06-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. | |||||
| CVE-2020-7497 | 1 Schneider-electric | 1 Ecostruxure Operator Terminal Expert | 2020-06-19 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause arbitrary application execution when the computer starts. | |||||
| CVE-2017-6821 | 1 Synacor | 1 Zimbra Collaboration Suite | 2020-06-04 | 7.5 HIGH | 9.8 CRITICAL |
| Directory traversal vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.7.6 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2020-12832 | 1 Simplefilelist | 1 Simple-file-list | 2020-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. | |||||
| CVE-2017-5946 | 2 Debian, Rubyzip Project | 2 Debian Linux, Rubyzip | 2020-05-14 | 7.5 HIGH | 9.8 CRITICAL |
| The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem. | |||||
| CVE-2020-10794 | 1 Gira | 2 Tks-ip-gateway, Tks-ip-gateway Firmware | 2020-05-13 | 5.0 MEDIUM | 9.8 CRITICAL |
| Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access. | |||||
| CVE-2020-11431 | 1 Inetsoftware | 3 Clear Reports, Helpdesk, Pdfc | 2020-05-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remote unauthenticated attacker to read arbitrary system files and directories on the target server via Directory Traversal. | |||||
| CVE-2020-10634 | 1 Sae-it | 2 Net-line Fw-50, Net-line Fw-50 Firmware | 2020-05-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted request could allow an attacker to view the file structure of the affected device and access files that should be inaccessible. | |||||
| CVE-2020-1631 | 1 Juniper | 1 Junos | 2020-05-08 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2. | |||||
| CVE-2018-19328 | 1 Laobancms | 1 Laobancms | 2020-05-07 | 7.5 HIGH | 9.8 CRITICAL |
| LAOBANCMS 2.0 allows install/mysql_hy.php?riqi=../ Directory Traversal. | |||||
| CVE-2020-12443 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive. | |||||