Tobias Fiebig

**Name of the Vulnerable Software and Affected Versions** ShareLaTeX versions 0.1.3 and earlier **Description** The issue allows remote authenticated users to read arbitrary files via a include command due to an absolute path traversal vulnerability when the paranoid openin any setting is omitted. **Recommendations** For ShareLaTeX versions 0.1.3 and earlier, consider adding the paranoid openin any setting to prevent absolute path traversal. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Common LaTeX Service Interface (CLSI) versions prior to 0.1.3 ShareLaTeX versions prior to 0.1.3 **Description** The issue allows remote authenticated users to execute arbitrary code via ` (backtick) characters in a filename. **Recommendations** For Common LaTeX Service Interface (CLSI) versions prior to 0.1.3, update to version 0.1.3 or later. For ShareLaTeX versions prior to 0.1.3, update to version 0.1.3 or later. As a temporary workaround, consider restricting the use of backtick characters in filenames until a patch is available.