CVE-2013-3922

Name of the Vulnerable Software and Affected Versions Gummy Bear Studios FTP Drive + HTTP Server versions 1.0.4 and earlier

Description A directory traversal issue allows remote attackers to read arbitrary files by including a ..%2f (encoded dot dot slash) in a GET request to the "/api/v1/files" API endpoint, such as "/api/v1/files/../../etc/passwd". This could potentially expose sensitive information.

Recommendations For versions 1.0.4 and earlier, as a temporary workaround, consider restricting access to sensitive files and directories until a patch is available. Avoid using the filename variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.