CVE-2017-16179

Name of the Vulnerable Software and Affected Versions: dasafio versions (affected versions not specified)

Description: The issue allows an attacker to access the filesystem by exploiting a directory traversal vulnerability. This is achieved by placing "../" in the URL, granting access to files outside the intended directory root. Although file access is restricted to only .html files, a malicious actor can still use this vulnerability to disclose private files on the vulnerable system. For example, an attacker can send a GET request to /../../../../../../../../../../etc/passwd to access sensitive files.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. It is recommended that dasafio is only used for local development, and if the functionality is needed for production, a different package is used instead.