CVE-2019-16511

Name of the Vulnerable Software and Affected Versions FireGiant WiX Toolset versions prior to 3.11.2

Description An issue in DTF allows directory traversal during CAB or ZIP archive extraction. This occurs because the full name of an archive file, including any ../ sequence, is concatenated with the destination path.

Recommendations For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll to minimize the risk of exploitation. Avoid using these libraries for archive extraction until the issue is resolved.