Nxnjz

**Name of the Vulnerable Software and Affected Versions** IPESA e-Flow version 3.3.6 **Description** The issue allows path traversal for reading any file within the web root directory. This is achieved via the `lib/js/build/STEResource.res` path and the `R` query parameter. **Recommendations** For IPESA e-Flow version 3.3.6, consider restricting access to the `lib/js/build/STEResource.res` path to minimize the risk of exploitation. Avoid using the `R` query parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.