CVE-2024-27292

Name of the Vulnerable Software and Affected Versions Docassemble versions 1.4.53 through 1.4.96

Description The issue allows attackers to gain unauthorized access to information on the system through URL manipulation. It is an unauthenticated path traversal flaw that exposes sensitive files and secrets, leading to privilege escalation and template injection, enabling remote code execution. The vulnerability affects Docassemble, an expert system for guided interviews and document assembly.

Recommendations For versions 1.4.53 through 1.4.96, update to version 1.4.97 of the master branch to resolve the issue. If upgrading is not possible, manually apply the changes of the patch and restart the server. As a temporary workaround, consider restricting access to sensitive files and secrets to minimize the risk of exploitation.