CVE-2019-13241

Name of the Vulnerable Software and Affected Versions FlightCrew versions 0.9.2 and older

Description The issue is related to insufficient input validation in the EPUB validator, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction. This can enable an attacker to record arbitrary files in any directory of the Zip archive.

Recommendations For FlightCrew versions 0.9.2 and older, as a temporary workaround, consider restricting the handling of ZIP archive entries to prevent directory traversal attacks until a patch is available. Avoid using the ZIP extraction feature with untrusted archives until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.