Impact
- Remote attacker is able to read local files from the server that can disclose important information.
Patches
- This issue has been fixed by adding
.replace('..', '') function into the argument Path. that will remove all path traversal payloads
Workarounds
- If you want to fix this without the update, just open
app.py and add .replace('..', '') into the Path variable inside of the recon function there.
Credits:
- All credits for finding and disclosing this issue goes to @Ry0taK
For more information
If you have any questions or comments about this advisory:
Impact
Patches
.replace('..', '')function into the argument Path. that will remove all path traversal payloadsWorkarounds
app.pyand add.replace('..', '')into thePathvariable inside of thereconfunction there.Credits:
For more information
If you have any questions or comments about this advisory: