| Title | lsFusion 6.1 Arbitrary File Overwrite and Deletion |
|---|
| Description | The server-side MakeUnzipFileAction invokes the unpackFile method in ZipUtils. This method does not restrict filenames or symbolic links within the compressed archive, allowing directory traversal during extraction. As a result, files can be written to arbitrary locations and existing files may be overwritten, leading to arbitrary file overwrite and arbitrary file deletion vulnerabilities. This same issue also occurs with EmailReceiver. |
|---|
| Source | ⚠️ https://github.com/lsfusion/platform/issues/1545 |
|---|
| User | R1ckyZ (UID 92331) |
|---|
| Submission | 11/05/2025 08:36 (6 months ago) |
|---|
| Moderation | 11/16/2025 16:33 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332600 [lsfusion platform up to 6.1 ZipUtils.java unpackFile path traversal] |
|---|
| Points | 20 |
|---|