CVE-2018-12909

Name of the Vulnerable Software and Affected Versions Webgrind version 1.5

Description The issue allows anyone to view files from the local filesystem that the webserver user has access to. This is achieved by manipulating the file parameter in the /index.php API endpoint, specifically through the op=fileviewer&file= URI. It is noted that the vendor does not intend the product for use in a publicly accessible environment.

Recommendations For Webgrind version 1.5, as a temporary workaround, consider restricting access to the fileviewer operation in the index.php endpoint to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved.