CVE-2019-10257

Name of the Vulnerable Software and Affected Versions: Zucchetti HR Portal versions prior to 2019-03-15

Description: The issue allows unauthenticated users to perform Directory Traversal, escaping the restricted location using dot-dot-slash notation to access files or directories elsewhere on the system. This enables access to the application's Java sources from /WEB-INF/classes/*.class.

Recommendations: For versions prior to 2019-03-15, consider restricting access to the /WEB-INF/classes/ directory to prevent unauthorized access to Java sources until a fix is available. As a temporary workaround, limit the ability of unauthenticated users to traverse directories using dot-dot-slash notation.