Description
util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an attachment's name. If an attacker places "../" in the file name, the file can be stored in an unintended directory because of Directory Traversal.
Remediation
References
https://github.com/lingochamp/FileDownloader/issues/1028
Related Vulnerabilities
CVE-2023-1108 Vulnerability in maven package io.undertow:undertow-core
CVE-2016-10750 Vulnerability in maven package com.hazelcast:hazelcast-spring
CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-imap4
CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2019-10754 Vulnerability in maven package org.apereo.cas:cas-server-support-simple-mfa