CVE-2024-28335

Name of the Vulnerable Software and Affected Versions Lektor versions prior to 3.3.11

Description The issue concerns the lack of sanitization of database path traversal in Lektor. This allows shell commands to be executed via a file added to the templates directory under specific conditions. The victim's web browser must access an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser must be running on the same machine as the Lektor server command.

Recommendations For versions prior to 3.3.11, update to version 3.3.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the templates directory and avoiding the use of untrusted websites that could exploit this issue. Additionally, ensure that the web browser and Lektor server are not running on the same machine to minimize the risk of exploitation.