Meekaah

**Name of the Vulnerable Software and Affected Versions** Uploader module version 1.1 for XOOPS **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability. This is achieved by including a .. (dot dot) in the `filename` parameter within a downloadfile action to "index.php". **Recommendations** For Uploader module version 1.1, consider restricting access to the downloadfile action in index.php to minimize the risk of exploitation. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved.