A vulnerability was found in qwdigital LinkWechat 5.1.0. It has been classified as problematic. This affects an unknown part of the file…
VulDB·CWE-24·Published 2024-01-25
Es wurde eine Schwachstelle in qwdigital LinkWechat 5.1.0 ausgemacht. Sie wurde als problematisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /linkwechat-api/common/download/resource der Komponente Universal Download Interface. Dank Manipulation des Arguments name mit der Eingabe /profile/../../../../../etc/passwd mit unbekannten Daten kann eine path traversal: '../filedir'-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
A vulnerability was found in qwdigital LinkWechat 5.1.0. It has been classified as problematic. This affects an unknown part of the file /linkwechat-api/common/download/resource of the component Universal Download Interface. The manipulation of the argument name with the input /profile/../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252033 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in qwdigital LinkWechat 5.1.0. It has been classified as problematic. This affects an unknown part of the file /linkwechat-api/common/download/resource of the component Universal Download Interface. The manipulation of the argument name with the input /profile/../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252033 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Se encontró una vulnerabilidad en qwdigital LinkWechat 5.1.0. Ha sido clasificada como problemática. Una parte desconocida del archivo /linkwechat-api/common/download/resource del componente Universal Download Interface es afectada por esta vulnerabilidad. La manipulación del argumento name con la entrada /profile/../../../../../etc/passwd conduce a path traversal: '../filedir'. Es posible iniciar el ataque de forma remota. La explotación ha sido divulgada al público y puede utilizarse. A esta vulnerabilidad se le asignó el identificador VDB-252033. NOTA: Se contactó primeramente con el proveedor sobre esta divulgación, pero no respondió de ninguna manera.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | cve.org | 4.0 | — | — | AV:N/AC:L/Au:S/C:P/I:N/A:N |
| 2.0 | Primary | cve.org | 4.0 | — | — | AV:N/AC:L/Au:S/C:P/I:N/A:N |
| 2.0 | Secondary | NVD | 4.0 | 8.0 | 2.9 | AV:N/AC:L/Au:S/C:P/I:N/A:N |
| 3.0 | Primary | cve.org | 4.3 | — | — | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.0 | Primary | cve.org | 4.3 | — | — | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Primary | cve.org | 4.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Primary | cve.org | 4.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | Secondary | NVD | 4.3 | 2.8 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |