CVE-2021-39433

Name of the Vulnerable Software and Affected Versions: BIQS IT Biqs-drive versions 1.83 and below

Description: A local file inclusion (LFI) issue exists when sending a specific payload as the file parameter to the "download/index.php" endpoint. This allows an attacker to read arbitrary files from the server with the permissions of the configured web-user.

Recommendations: For BIQS IT Biqs-drive versions 1.83 and below, consider disabling access to the "download/index.php" endpoint until a patch is available. As a temporary workaround, restrict the file parameter to prevent arbitrary file reading.