Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
- Severity:
- High
Description
A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0-beta.15
- Patched version(s): 1.0.0-beta.16
References
Related Issues
- Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page - Vulnerability
- @saltcorn/server arbitrary file and directory listing when accessing build mobile app results - Vulnerability
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on October 08, 2024