CVE-2019-25075

Name of the Vulnerable Software and Affected Versions Gravitee API Management versions prior to 1.25.3

Description The issue is related to HTML injection combined with path traversal in the Email service, allowing anonymous users to read arbitrary files. This can be achieved via a /management/users/register request. The vulnerability may also enable remote attackers to conduct cross-site scripting (XSS) attacks.

Recommendations For versions prior to 1.25.3, update to version 1.25.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /management/users/register endpoint until a patch is available. Avoid using the Email service in Gravitee API Management until the issue is resolved.