| शीर्षक | HBAI-Ltd Toonflow 1.1.1 Path Traversal Leading to Arbitrary File Read |
|---|
| विवरण | A three-step attack chain allows any authenticated user to read arbitrary files from the server via the storyboard export feature:
Inject malicious filePath into the o_storyboard database table via updateStoryboardUrl — the replaceUrl() function fails to sanitize non-URL strings, returning path traversal payloads unchanged
Trigger file read via exportImage — the endpoint uses path.join(getPath("oss"), item.filePath!) without isPathInside() validation, allowing the crafted filePath to escape the OSS directory
Exfiltrate file contents — the file is included in the downloaded ZIP archive |
|---|
| स्रोत | ⚠️ https://github.com/HBAI-Ltd/Toonflow-app/issues/97 |
|---|
| उपयोगकर्ता | Yu-Bao (UID 96702) |
|---|
| सबमिशन | 08/04/2026 11:07 AM (19 दिन पहले) |
|---|
| संयम | 26/04/2026 10:16 AM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359661 [HBAI-Ltd Toonflow-app तक 1.1.1 Storyboard Export replaceUrl.ts updateStoryboardUrl url निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|