CVE-2023-45880

Name of the Vulnerable Software and Affected Versions GibbonEdu Gibbon versions through 25.0.0

Description The issue allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension), allowing creation of PHP files outside of the uploads directory, directly in the webroot.

Recommendations For versions through 25.0.0, consider disabling the report template builder feature until a patch is available to prevent exploitation. Restrict access to the templateFileDestination parameter to minimize the risk of creating malicious PHP files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.