CVE-2023-26563

Name of the Vulnerable Software and Affected Versions Syncfusion EJ2 Node File Provider version 0102271

Description The issue allows an unauthenticated attacker to perform various malicious actions due to a directory traversal vulnerability in the filesystem-server.js component. On Windows, this includes listing files in any directory, reading any file, deleting any file, and uploading any file to any directory accessible by the web server. On Linux, an attacker can read any file, download any directory, delete any file, and upload any file to any directory accessible by the web server.

Recommendations As a temporary workaround, consider disabling the filesystem-server.js component until a patch is available. Restrict access to the vulnerable filesystem-server.js module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.