CVE-2020-15097

Name of the Vulnerable Software and Affected Versions loklak versions less than or equal to commit 5f48476

Description The loklak server application contains a path traversal vulnerability due to insufficient input validation in the APIs. This allows a directory traversal vulnerability, enabling an attacker to retrieve any admin configuration and files readable by the app available on the hosted file system. Furthermore, user-controlled content could be written to any admin config and files readable by the application.

Recommendations To resolve the issue, users will need to upgrade their hosted instances of loklak to a version greater than commit 5f48476, specifically to a version that includes the patch from commit 50dd692. As a temporary workaround, consider restricting access to sensitive admin configurations and files to minimize the risk of exploitation.