[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Rocket.Chat Path Traversal

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Rocket.Chat Path Traversal
From: Moe Szyslak <mommar.morris.szyslak@xxxxxxxxx>
Date: Fri, 18 Dec 2020 22:04:11 +0100

Rocket.Chat has fixed a server-side path traversal vulnerability that may
be abused to write files to attacker-controlled locations:

https://github.com/RocketChat/Rocket.Chat/commit/f5c7d94bffb279d7a2f859773935fb5cf70c81cd

Exploitation of this vulnerability requires uploading attachments with
crafted names and requesting a data download.

No release of Rocket.Chat contains these fixes. Users should consider
cherrypicking f5c7d94bffb279d7a2f859773935fb5cf70c81cd to patch their
Rocket.Chat installation.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] remote code execution when open a project in android studio that google refused to fix(still 0day)
Next by Date: [FD] AST-2020-003: Remote crash in res_pjsip_diversion
Previous by thread: [FD] remote code execution when open a project in android studio that google refused to fix(still 0day)
Next by thread: [FD] AST-2020-003: Remote crash in res_pjsip_diversion
Index(es):
- Date
- Thread