Описание
Arbitrary File Write in iobroker.admin
Versions of iobroker.admin prior to 3.6.12 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended folder in the /log/ route, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.
Recommendation
Upgrade to version 3.6.12 or later.
Пакеты
Наименование
iobroker.admin
npm
Затронутые версииВерсия исправления
< 3.6.12
3.6.12
Связанные уязвимости
CVSS3: 9.8
nvd
около 6 лет назад
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.