Name of the Vulnerable Software and Affected Versions: Saltcorn version 1.0.0-beta.13

Description: A user with admin permission can read arbitrary file and directory names on the filesystem by calling the "/build-mobile-app/result" endpoint. The build dir name parameter is not properly validated and is used to construct the buildDir that is read. The file/directory names under the buildDir will be returned. This issue allows for information disclosure, but it's possible to only see file and directory names, not their content.

Recommendations: For Saltcorn version 1.0.0-beta.13, resolve the buildDir and check if it starts with the expected path to prevent arbitrary file and directory name disclosure. As a temporary workaround, consider restricting access to the "/build-mobile-app/result" endpoint for admin users until a patch is available.