Firegiant · Wix Toolset · CVE-2019-16511
**Name of the Vulnerable Software and Affected Versions**
FireGiant WiX Toolset versions prior to 3.11.2
**Description**
An issue in DTF allows directory traversal during CAB or ZIP archive extraction. This occurs because the full name of an archive file, including any ../ sequence, is concatenated with the destination path.
**Recommendations**
For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll to minimize the risk of exploitation. Avoid using these libraries for archive extraction until the issue is resolved.