Impact
Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application.
Patches
The security vulnerability was patched in commit 50dd692 to which users need to upgrade their hosted instances of loklak.
References
https://en.wikipedia.org/wiki/Directory_traversal_attack
For more information
If you have any questions or comments about this advisory:
intrigus-lgtm Analyst
Impact
Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application.
Patches
The security vulnerability was patched in commit 50dd692 to which users need to upgrade their hosted instances of loklak.
References
https://en.wikipedia.org/wiki/Directory_traversal_attack
For more information
If you have any questions or comments about this advisory: