PT-2019-19251 · Total.Js · Total.Js Platform
Publicado
2019-02-18
·
Atualizado
2020-03-18
·
CVE-2019-8903
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Total.js Platform versions prior to 3.2.3
Description
The issue allows path traversal due to insufficient input sanitization in URLs, enabling attackers to access server files outside the /public folder by using relative paths. The files served are limited to specific file types.
Recommendations
- If you are using version 2.1.x, upgrade to 2.1.1 or later.
- If you are using version 2.2.x, upgrade to 2.2.1 or later.
- If you are using version 2.3.x, upgrade to 2.3.1 or later.
- If you are using version 2.4.x, upgrade to 2.4.1 or later.
- If you are using version 2.5.x, upgrade to 2.5.1 or later.
- If you are using version 2.6.x, upgrade to 2.6.3 or later.
- If you are using version 2.7.x, upgrade to 2.7.1 or later.
- If you are using version 2.8.x, upgrade to 2.8.1 or later.
- If you are using version 2.9.x, upgrade to 2.9.5 or later.
- If you are using version 3.0.x, upgrade to 3.0.1 or later.
- If you are using version 3.1.x, upgrade to 3.1.1 or later.
- If you are using version 3.2.x, upgrade to 3.2.4 or later.
Exploit
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Total.Js Platform