CVE-2019-14767

Name of the Vulnerable Software and Affected Versions DIMO YellowBox CRM versions prior to 6.3.4

Description The issue allows an unauthenticated user to download arbitrary files from the server due to Path Traversal vulnerabilities in the images/Apparence and servletrecuperefichier endpoints. The dossier and document parameters are vulnerable to traversal attacks, enabling access to files outside the intended directory.

Recommendations For versions prior to 6.3.4, update to version 6.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the images/Apparence and servletrecuperefichier endpoints to prevent unauthenticated users from exploiting the Path Traversal vulnerability. Avoid using the dossier and document parameters in these endpoints until the issue is resolved.