PT-2018-10425 · Filedownloader · Filedownload

Triwater

Published

2018-05-18

Updated

2018-06-20

CVE-2018-11248

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FileDownloader version 1.7.3

Description The issue concerns a directory traversal problem. An attacker can exploit this by placing "../" in a file name, allowing the file to be stored in an unintended directory. This occurs because the util/FileDownloadUtils.java in FileDownloader does not properly check an attachment's name.

Recommendations For FileDownloader version 1.7.3, consider implementing proper validation and sanitization of file names to prevent directory traversal attacks. As a temporary workaround, restrict the ability to upload files with "../" in their names to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2018-11248

Affected Products

Filedownload

PT-2018-10425 · Filedownloader · Filedownload

CVE-2018-11248

Weakness Enumeration

Related Identifiers

Affected Products

References · 3