CVE-2021-41950

Name of the Vulnerable Software and Affected Versions ResourceSpace versions 9.6 through 9.6 rev 18277

Description A directory traversal issue allows remote unauthenticated attackers to delete arbitrary files on the server via the provider and variant parameters in "pages/ajax/tiles.php". Attackers can delete configuration or source code files, causing the application to become unavailable to all users.

Recommendations For versions 9.6 through 9.6 rev 18277, update to a version after 9.6 rev 18277 to resolve the issue. As a temporary workaround, consider restricting access to the "pages/ajax/tiles.php" endpoint to minimize the risk of exploitation. Avoid using the provider and variant parameters in the affected endpoint until the issue is resolved.