CVE-2019-10765

Name of the Vulnerable Software and Affected Versions iobroker.admin versions prior to 3.6.12

Description The issue allows an attacker to include file contents from outside the intended directory due to a path traversal problem. The package fails to restrict access to folders outside of the intended folder in the /log/ route, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack, but the package has authentication disabled by default.

Recommendations Upgrade to version 3.6.12 or later.