PT-2018-16157 · Unknown · Crud-File-Server

Name of the Vulnerable Software and Affected Versions: crud-file-server versions prior to 0.9.0 Description: The issue arises from incorrect validation of URLs, allowing a malicious user to read the content of any file with a known path due to a Path Traversal vulnerability. This is because the...

Path Traversal

Overview All versions of general-file-server are vulnerable to path traversal. Recommendation No fix is currently available for this vulnerability. It is our recommendation to not use this module until a fix has been provided. References - HackerOne Report - GitHub Advisory...

Cross-site Scripting (XSS) - Stored

Overview Versions of crud-file-server before 0.8.0 are vulnerable to stored cross-site scripting XSS. This is due to insufficient santiziation of filenames when directory index is served by crud-file-server. Recommendation Update to version 0.8.0 or later. References - GitHub Commit 4155bfe -...

Directory Traversal

crud-file-server is vulnerable to directory traversal attacks. The vulnerability exists due to the lack of ../ sanitization on the user input, allowing attackers to access files outside of the server's scope...

Path Traversal

general-file-server is vulnerable to path traversal attacks. Using a string including ../, attackers can traverse the server and any file with a known path...

vDisk Lost Properties in PVS Console

vDisk lost properties in PVS consoleafter move vDisk to individual file server with MS DFS enabled,vDisk is shown as No server and filesize can not be identified...

Node.js third-party modules: [crud-file-server] Stored XSS in filenames when directory index is served by crud-file-server

Hi Guys, crud-file-server allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

Node.js third-party modules: [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server

Hi Guys, There is Path Traversal in general-file-server module. It allows to read content of arbitrary files on the remote server. Module general-file-server This is a general file server made by nodejs. It will be easy for you to access the files on the server through the browser...

Node.js third-party modules: [crud-file-server] Path Traversal allows to read arbitrary file from the server

Hi Guys, There is Path Traversal vulnerability in crud-file-server module, which allows to read arbitrary file from the remote server. Module crud-file-server This package exposes a directory and its children to create, read, update, and delete operations over http...

Node.js third-party modules: [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere

Hi Guys, anywhere allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript. Module: Running static file server anywhere. https://www.npmjs.com/package/anywhere Description To embed malicious tag with JavaScript code to execute, / character is...

Directory Traversal

Overview Affected versions of augustine resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Denial of Service in ecstatic

ecstatic, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes %00 is provided by an attacker it can crash ecstatic by running it out of memory. Results from the original advisory A payload of 22kB caused a lag of 1 second, A...

ecstatic npm package denial of service vulnerability

ecstatic npm package is a static file server middleware. A denial of service vulnerability exists in the lib/ecstatic.js file in versions of ecstatic npm package prior to 2.0.0. A remote attacker can exploit this vulnerability to cause a denial of service overload and crash by passing a malicious...

The vulnerability of the reportId parameter in the getReportStatus method of the Kaspersky Anti-Virus for Linux File Server antivirus protection tool allows a hacker to access and read arbitrary files.

The vulnerability of the reportId parameter in the getReportStatus method of the Kaspersky Anti-Virus for Linux File Server antivirus tool is related to the lack of protection for service data. Exploiting this vulnerability allows a malicious actor, operating remotely, to read arbitrary files wit...

The vulnerability in the web interface of the Kaspersky Anti-Virus for Linux File Server allows a malicious actor to send authenticated requests.

The vulnerability of the Kaspersky Anti-Virus for Linux File Server web interface is related to the absence of Anti-CSRF tokens in all forms of the interface. Exploiting this vulnerability allows a malicious actor to send authenticated requests during the time when the authenticated user is viewi...

The vulnerability of the scriptName parameter in the licenseKeyInfo method of the Kaspersky Anti-Virus for Linux File Server security tool allows a hacker to obtain files from the attacked system.

The vulnerability of the scriptName parameter in the licenseKeyInfo method of the Kaspersky Anti-Virus for Linux File Server security tool exists due to the lack of measures taken to protect the web page structure. Exploiting this vulnerability can allow a malicious actor, operating remotely, to...

Kaspersky Anti-Virus for Linux File Server getReportStatus Directory Traversal (CVE-2017-9812)

A directory traversal vulnerability exists in Kaspersky Anti-Virus for Linux File Server. The vulnerability is due to a lack of proper validation of a user-supplied path when a request is sent to check the status of a report. A remote, authenticated attacker can exploit this vulnerability by...

Directory Traversal

Overview intsol-package is a file server. intsol-package is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Example Request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:localhost and the server's Response HTTP/1.1...

CVE-2017-9811

The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 version 8.0.4.312. By abusing the quarantine read and write operations, it is possible to elevate the privileges to root...

CVE-2017-9813

In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 version 8.0.4.312, the scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting XSS...