CVE-2022-44016

Name of the Vulnerable Software and Affected Versions Simmeth Lieferantenmanager versions prior to 5.6

Description An issue was discovered that allows an attacker to download arbitrary files from the web server by abusing an API call to "/DS/LM API/api/ConfigurationService/GetImages" with an ImagesPath value set to "C:". This enables the attacker to access files on the server.

Recommendations For versions prior to 5.6, as a temporary workaround, consider restricting access to the "/DS/LM API/api/ConfigurationService/GetImages" API endpoint until a patch is available. Avoid using the ImagesPath variable in this endpoint to minimize the risk of exploitation. Update to version 5.6 or later to resolve the issue.