CakePHP directory traversal vulnerability allows remote attackers to read arbitrary files
Moderate severity
GitHub Reviewed
Published
May 1, 2022
to the GitHub Advisory Database
•
Updated Jan 30, 2023
Package
Affected versions
>= 1.0.1.2708, < 1.1.8.3544
Patched versions
1.1.8.3544
Description
Published by the National Vulnerability Database
Sep 27, 2006
Published to the GitHub Advisory Database
May 1, 2022
Reviewed
Jan 14, 2023
Last updated
Jan 30, 2023
Credits
-
ravage84 Analyst
Directory traversal vulnerability in
app/webroot/js/vendors.phpin Cake Software Foundation CakePHP before 1.1.8.3544 allows remote attackers to read arbitrary files via a..(dot dot) in the file parameter, followed by a filename ending with%00and a.jsfilename.References