Gebhartleopold-Coder

**Name of the Vulnerable Software and Affected Versions** NavigaTUM versions prior to commit 86f34c7 **Description** NavigaTUM is a website and API used for searching locations. A path traversal flaw exists in the `propose edits` API endpoint, allowing unauthenticated users to overwrite files in directories accessible to the application user, such as `/cdn`. This is achieved by providing unsanitized file keys containing traversal sequences (e.g., `../../`) within the JSON payload, enabling attackers to bypass the intended temporary directory and potentially replace public images or exhaust server storage. **API Endpoints** `/propose edits` **Vulnerable Parameters or Variables** `file keys` (within the JSON payload) **Recommendations** Update NavigaTUM to commit 86f34c7 or later.