WEB APPLICATION VULNERABILITIES Standard & Premium

GibbonEdu Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2023-45880)

Description

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

Remediation

References

Related Vulnerabilities

Perl Out-of-bounds Write Vulnerability (CVE-2018-6913)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-5264)

WordPress 6.3.x Multiple Vulnerabilities (6.3 - 6.3.1)

Apache Tomcat Other Vulnerability (CVE-2002-1567)

WordPress Plugin Job Board by BestWebSoft Cross-Site Scripting (1.1.3)

Severity

High

Classification

CVE-2023-45880 CWE-22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities