CVE-2018-20437

Name of the Vulnerable Software and Affected Versions FEBS-Shiro versions prior to 2018-11-05

Description An issue was discovered in the fileDownload function in the CommonController class. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false.

Recommendations For versions prior to 2018-11-05, as a temporary workaround, consider disabling the fileDownload function in the CommonController class until a patch is available. Restrict access to the /common/download API endpoint to minimize the risk of exploitation. Avoid using the filename and delete parameters in the affected API endpoint until the issue is resolved.