| Title | vlife 2.0.1 Arbitrary File Read |
|---|
| Description | The SysFileApi allows unauthenticated creation of SysFile objects with attacker-controlled file names due to a missing authentication check on /sysFile/create/ (caused by an outdated spring-security-web version). Combined with path concatenation in endpoints like /sysFile/image/{id}, this enables directory traversal and arbitrary file read. |
|---|
| Source | ⚠️ https://github.com/wwwlike/vlife/issues/3 |
|---|
| User | R1ckyZ (UID 92331) |
|---|
| Submission | 11/05/2025 09:02 AM (4 months ago) |
|---|
| Moderation | 11/16/2025 04:36 PM (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332601 [wwwlike vlife up to 2.0.1 VLifeApi SysFileApi.java create fileName path traversal] |
|---|
| Points | 19 |
|---|