CVE-2022-39367

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files int...

Code injection

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files int...

CVE-2022-39367

Summary of CVE-2022-39367 (QTIWorks) : Prior to version 1.0-beta15, QTIWorks Engine allows uploading QTI content ZIP packages. The ZIP handling code does not properly validate file paths inside ZIPs, enabling insertion of files into arbitrary locations writable by the Engine process and potential...

CVE-2022-39367 Vulnerability in handling of uploaded QTI ZIP files

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files int...

CVE-2022-39367 Vulnerability in handling of uploaded QTI ZIP files

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files int...