Homepage
About Snyk

com.butor:portal@1.0.26 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.butor:portal package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

com.butor:portal is a part of Butor Platform.

Affected versions of this package are vulnerable to Directory Traversal leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. The WhiteLabelingServlet class does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename.

How to fix Directory Traversal?

A fix was pushed into the master branch but not yet published.

[0,)
Go back to all versions of this package