| عنوان | lsFusion 6.1 Arbitrary File Overwrite and Deletion |
|---|
| الوصف | The server-side MakeUnzipFileAction invokes the unpackFile method in ZipUtils. This method does not restrict filenames or symbolic links within the compressed archive, allowing directory traversal during extraction. As a result, files can be written to arbitrary locations and existing files may be overwritten, leading to arbitrary file overwrite and arbitrary file deletion vulnerabilities. This same issue also occurs with EmailReceiver. |
|---|
| المصدر | ⚠️ https://github.com/lsfusion/platform/issues/1545 |
|---|
| المستخدم | R1ckyZ (UID 92331) |
|---|
| ارسال | 05/11/2025 08:36 AM (6 أشهر منذ) |
|---|
| الاعتدال | 16/11/2025 04:33 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 332600 [lsfusion platform حتى 6.1 ZipUtils.java unpackFile اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|