@saltcorn/server arbitrary file and directory listing when accessing build mobile app results
- Severity:
- Medium
Description
A user with admin permission can read arbitrary file and directory names on the filesystem by calling the admin/build-mobile-app/result?build_dir_name= endpoint. The build_dir_name parameter is not properly validated and it’s then used to construct the buildDir that is read. The file/directory names under the buildDir will be returned.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0-beta.13
- Patched version(s): 1.0.0-beta.14
References
Related Issues
- @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation - CVE-2025-53626
- Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page - Vulnerability
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on October 04, 2024