Main Vulnerability Database SB2019032121

SB2019032121 - Path traversal in Lussumo Vanilla

Published: March 21, 2019 Updated: July 17, 2020

Security Bulletin ID SB2019032121

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2019-9889)

The vulnerability allows a remote privileged user to gain access to sensitive information.

In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.

Remediation

Install update from vendor's website.

References

https://github.com/vanilla/vanilla/compare/b043ae8...9f12b22
https://github.com/vanilla/vanilla/pull/7840
https://hackerone.com/reports/411140