CVE-2019-13915

Name of the Vulnerable Software and Affected Versions b3log Wide versions prior to 1.6.0

Description The issue allows an attacker to access arbitrary files through three types of attacks. First, an attacker can write and execute code in the editor to read arbitrary files. Second, an attacker can create a symlink, place it in a ZIP archive, and upon unzip operation, gain read and potentially write access to the symlink target, depending on file permissions. Third, an attacker can import a Git repository containing a symlink, leading to similar read and write access.

Recommendations For versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the editor and ZIP import functionality, as well as limiting the ability to import Git repositories, until a patch is applied.