Описание
Arbitrary File Write in iobroker.js-controller
Versions of iobroker.controller prior to 2.0.25 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended /adapter/<adapter-name> folder, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.
Recommendation
Upgrade to version 2.0.25 or later.
Пакеты
iobroker.js-controller
< 2.0.25
2.0.25
Связанные уязвимости
An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).