GHSA-4JW9-5HRC-M4J6 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

Summary POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath. That...

Apache SIS 安全漏洞

Apache SIS is an open source library for spatial information from the Apache Foundation. A security vulnerability exists in Apache SIS versions 0.4 through 1.5, which stems from an improperly restricted XML external entity reference that could result in reading a server-local file...

CVE-2024-10126

Local File Inclusion vulnerability in M-Files Server in versions before 24.11 excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7 allows an authenticated user to read server local files of a limited set of filetypes via document preview...

CVE-2024-10126

The CVE concerns M-Files Server with a Local File Inclusion (LFI) in the document preview feature. Affected versions are before 24.11 (excluding 24.8 SR1, 24.2 SR3, and 23.8 SR7). An authenticated user can read server-local files of a limited set of filetypes via the document preview. Root cause:...