CVE-2025-30343

Name of the Vulnerable Software and Affected Versions OpenSlides versions prior to 4.2.5

Description A directory traversal issue was discovered in OpenSlides. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory.

Recommendations For versions prior to 4.2.5, update to version 4.2.5 or later to resolve the issue. As a temporary workaround, consider avoiding the use of relative or absolute paths in file or folder titles to minimize the risk of exploitation. Restrict access to sensitive files and folders to prevent potential overwriting of files locally outside of the chosen directory.