Sentinal404

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** A path traversal issue exists within the FormFlash core component. An unauthenticated attacker can manipulate the `session id` (passed via the ` form-flash-id` parameter in POST requests) to traverse the filesystem. This allows the creation of arbitrary directories and the writing of an `index.yaml` file containing attacker-controlled data. This can lead to unauthorized modification of application behavior, data integrity issues, and service disruption. The issue resides in the ` construct()` and `getTmpDir()` functions of the `GravFrameworkFormFormFlash` class, where a lack of sanitization on the `session id` allows the use of `../` sequences to escape into writable directories such as `user/config/`, `cache/`, `logs/`, and `tmp/`. **Recommendations** Update to version 2.0.0-beta.2. As a temporary workaround, restrict write permissions for the webserver on sensitive directories like `user/config/` to prevent the creation of new subdirectories.