CVE-2018-11248

lingochamp/FileDownloader

on github

Published

May 18, 2018

Severity

CVSS v3:

9.8 CRITICAL

CVSS v2:

7.5 HIGH

Description

util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an attachment's name. If an attacker places "../" in the file name, the file can be stored in an unintended directory because of Directory Traversal.

References

https://github.com/lingochamp/FileDownloader/issues/1028

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:liulishuo:filedownloader:1.7.3:::::::*	n/a	n/a	1.7.3

External Links

NVD - CVE-2018-11248