PT-2023-20323 · Unknown · Metersphere

Lcxing

Published

2023-03-09

Updated

2023-03-15

CVE-2023-25814

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Name of the Vulnerable Software and Affected Versions metersphere versions prior to 2.7.1

Description The issue allows a user with permission to create a resource file through UI operations to append a path to their submission query, which will be read by the system and displayed to the user. This enables users to read arbitrary files on the server's filesystem, provided the server process has permission to read the requested files.

Recommendations For versions prior to 2.7.1, upgrade to version 2.7.1 to address the issue. There are no known workarounds for this issue.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2023-25814

GHSA-FWC3-5H55-MH2J

Affected Products

Metersphere

PT-2023-20323 · Unknown · Metersphere

CVE-2023-25814

Weakness Enumeration

Related Identifiers

Affected Products

References · 6