CVE-2022-27248

Name of the Vulnerable Software and Affected Versions IdeaRE RefTree versions prior to 2021.09.17

Description A directory traversal issue allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to /CaddemServiceJS/CaddemService.svc/rest/DownloadDwg.

Recommendations For versions prior to 2021.09.17, as a temporary workaround, consider restricting access to the DownloadDwg endpoint until a patch is available. Avoid using the path field in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.