An attacker can include file contents from outside the /adapter/xxx/
directory, where xxx
is the name of an existent adapter like “admin”. It is exploited using the administrative web panel with a request for an adapter file. Note: The attacker has to be logged in if the authentication is enabled (by default isn’t enabled).
CPE | Name | Operator | Version |
---|---|---|---|
iobroker.js-controller | lt | 2.0.25 |