CVE-2022-25266

Name of the Vulnerable Software and Affected Versions Passwork On-Premise Edition versions prior to 4.6.13

Description The issue is related to incorrect restriction of the path name to a directory with limited access. An attacker can exploit this by manipulating URL parameters to gain access to local files and directories on the server. This allows for directory traversal, enabling the reading of files.

Recommendations For Passwork On-Premise Edition versions prior to 4.6.13, update to version 4.6.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the migration/downloadExportFile endpoint until a patch is available. Avoid using the vulnerable endpoint to minimize the risk of exploitation.