Rohan Stelling

**Name of the Vulnerable Software and Affected Versions** Mura CMS versions 5.1 through 5.1.497 Mura CMS versions 5.2 through 5.2.2808 Sava CMS versions 5 through 5.2 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) in the `FILEID` parameter to the "tasks/render/file/" endpoint. **Recommendations** For Mura CMS versions 5.1 through 5.1.497, update to version 5.1.498 or later. For Mura CMS versions 5.2 through 5.2.2808, update to version 5.2.2809 or later. For Sava CMS versions 5 through 5.2, update to a version later than 5.2, if available. As a temporary workaround, consider restricting access to the "tasks/render/file/" endpoint until a patch is available. Avoid using the `FILEID` parameter in the affected endpoint until the issue is resolved.