PT-2019-15796 · Simplifile · Simplifile Recordfusion

Edgar Bustos

Published

2019-12-17

Updated

2021-07-21

CVE-2019-19264

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Simplifile RecordFusion versions prior to 2019-11-25

Description The issue allows remote attackers to access local files. This is achieved through the logs and hist parameters in the logger/logs or logger/hist URI, such as "logger/logs?/../" or "logger/hist?/../".

Recommendations For versions prior to 2019-11-25, as a temporary workaround, consider restricting access to the logger/logs and logger/hist API endpoints until a patch is available. Avoid using the logs and hist parameters in these endpoints to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-19264

Affected Products

Simplifile Recordfusion

PT-2019-15796 · Simplifile · Simplifile Recordfusion

CVE-2019-19264

Weakness Enumeration

Related Identifiers

Affected Products

References · 3