exploitDog

CVE-2022-27248

Опубликовано: 03 апр. 2022

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to CaddemServiceJS/CaddemService.svc/rest/DownloadDwg.

Ссылки

http://packetstormsecurity.com/files/166560/IdeaRE-RefTree-Path-Traversal.html
Third Party Advisory
VDB Entry
https://www.idearespa.eu
Product
http://packetstormsecurity.com/files/166560/IdeaRE-RefTree-Path-Traversal.html
Third Party Advisory
VDB Entry
https://www.idearespa.eu
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:idearespa:reftree:*:*:*:*:*:*:*:*

Версия до 2021.09.17 (исключая)

EPSS

Процентиль: 56%

0.00333

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-9x3c-69rg-65p6

CVSS3: 6.5

github

почти 4 года назад

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to CaddemServiceJS/CaddemService.svc/rest/DownloadDwg.

EPSS

Процентиль: 56%

0.00333

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22