CVE-2019-10767
N/A
N/A
Summary
An attacker can include file contents from outside the /adapter/xxx/ directory, where xxx is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. Note: The attacker has to be logged in if the authentication is enabled (by default isn't enabled).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | iobroker.js-controller | All versions prior to version 2.0.25 | affected |
Weaknesses
- Directory Traversal
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/ioBroker/ioBroker.js-controller/commit/f6e292c6750a491a5000d0f851b2fede4f9e2fda
- https://snyk.io/vuln/SNYK-JS-IOBROKERJSCONTROLLER-534881
References
- https://github.com/ioBroker/ioBroker.js-controller/commit/f6e292c6750a491a5000d0f851b2fede4f9e2fda
- https://snyk.io/vuln/SNYK-JS-IOBROKERJSCONTROLLER-534881
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.