Description

An issue was discovered in XXL-CONF 1.6.0. There is a path traversal vulnerability via ../ in the keys parameter that can download any configuration file, related to ConfController.java and PropUtil.java.

Remediation

References

https://github.com/xuxueli/xxl-conf/issues/61

Related Vulnerabilities

CVE-2022-36097 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2022-39239 Vulnerability in npm package @netlify/ipx

CVE-2022-24847 Vulnerability in maven package org.geoserver.web:gs-web-sec-jdbc

CVE-2022-25844 Vulnerability in npm package angular

CVE-2020-7675 Vulnerability in npm package cd-messenger

Severity

High

Classification

CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Issue Tracking Third Party Advisory