A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt
of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. Using CWE to declare the problem leads to CWE-22. The weakness was shared 12/27/2022 as 551. The advisory is available at github.com.
This vulnerability is handled as CVE-2022-4772. It is possible to launch the attack on the local host. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment. This vulnerability is assigned to T1006 by the MITRE ATT&CK project.
It is declared as not defined. As 0-day the estimated underground price was around $0-$5k.
The patch is identified as f2279b76827f32190adfa9bd5229b7d5a147fa92. The bugfix is ready for download at github.com. It is recommended to apply a patch to fix this issue. A possible mitigation has been published before and not just after the disclosure of the vulnerability.