Characters in the GET url path are not properly escaped and can be reflected in the server...
6.1CVSS
6.2AI Score
0.001EPSS
An attacker can include file contents from outside the /adapter/xxx/ directory, where xxx is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. Note: The attacker has to be logged in if the authentication is enabled.....
7.5CVSS
7.4AI Score
0.002EPSS
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the /log/file1/...
9.8CVSS
9.3AI Score
0.005EPSS