Ramón Costales

**Name of the Vulnerable Software and Affected Versions** SOLIDserver IPAM version 8.2.3 **Description** A directory traversal issue exists in SOLIDserver IPAM version 8.2.3. An authenticated user with administrator privileges can list directories beyond their authorized access. This is possible by manipulating the `directory` parameter within the ''/mod/ajax.php?action=sections/list/list'' API endpoint. Specifically, setting the `directory` parameter to '/' reveals files outside the 'LOCAL:///' folder. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the ''/mod/ajax.php?action=sections/list/list'' API endpoint. Sanitize the `directory` parameter to prevent directory traversal attempts.