CVE-2025-52922

Name of the Vulnerable Software and Affected Versions: Innoshop versions 0.4.1 and earlier

Description: The issue allows directory traversal via FileManager API endpoints, such as "/api/file manager/files?base folder=", "/api/file manager/directories", "/api/file manager/copy files", and "/api/file manager/move files". An authenticated attacker with access to the admin panel could exploit this to map the filesystem structure, create arbitrary directories, read arbitrary files, delete arbitrary files via a DELETE request to "/api/file manager/files", or create arbitrary files on the server.

Recommendations: For Innoshop versions 0.4.1 and earlier, as a temporary workaround, consider restricting access to the FileManager API endpoints, specifically "/api/file manager/files?base folder=", "/api/file manager/directories", "/api/file manager/copy files", and "/api/file manager/move files", to minimize the risk of exploitation. Additionally, limit the ability to upload and move files using the "/api/file manager/move files" endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.