Dbltek · Goip-1 · CVE-2022-4982
**Name of the Vulnerable Software and Affected Versions**
DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5
**Description**
The GoIP-1 device firmware contains a local file inclusion issue. The web server exposes handlers `frame.html` and `frame.A100.html` that accept a path parameter (`content` or `sidebar`) without proper validation. This allows an attacker to use directory-traversal sequences to read arbitrary files accessible to the webserver user. The Shadowserver Foundation observed exploitation of this issue on 2024-03-21 UTC.
**Recommendations**
Versions prior to GHSFVT-1.1-67-5 should be used.