CVE-2018-7669

Name of the Vulnerable Software and Affected Versions Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above

Description An issue allows an attacker to perform a directory traversal attack using the 'Log Viewer' application. This is achieved by accessing a specific URI, "sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=", and manipulating the file parameter. The validation filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack, enabling access to arbitrary files from the host Operating System.

Recommendations For Sitecore Sitecore.NET versions 8.1 rev. 151207 Hotfix 141178-1 and above, consider restricting access to the 'Log Viewer' application until a patch is available. As a temporary workaround, avoid using the file parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.