Yoyochaud

**Name of the Vulnerable Software and Affected Versions** DumbAssets versions 1.0 through 1.0.11 **Description** A path traversal issue exists in the 'POST /api/delete-file' endpoint via the `filesToDelete` array parameters. This allows unauthenticated attackers to bypass directory boundary validation by using ../ sequences to traverse outside the intended application directory. This can lead to the deletion of critical files, such as `server.js` or `package.json`, resulting in a complete denial of service. Path traversal is a technique used to access files and directories that are stored outside the web root folder. **Recommendations** For versions 1.0 through 1.0.11, avoid using the `filesToDelete` parameter in the 'POST /api/delete-file' endpoint until a fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DumbAssets versions 1.0 through 1.0.11 **Description** A stored cross-site scripting issue exists in asset fields, specifically `name`, `description`, `modelNumber`, `serialNumber`, and `tags`. These fields are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can use asset API endpoints to create or update assets with HTML or JavaScript payloads, allowing the execution of arbitrary scripts in the browsers of users viewing the asset list. If the Content-Security-Policy is disabled, these injected scripts can establish unrestricted connections to internal network services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.