Characters in the GET url path are not properly escaped and can be reflected in the server response.

An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).

iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.