CVE-2022-23409: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

February 1, 2022 (updated February 10, 2022)

The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php.

References

packetstormsecurity.com/files/165706/Ethercreative-Logs-3.0.3-Path-Traversal.html
github.com/advisories/GHSA-9chx-2vqw-8vq5
github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
nvd.nist.gov/vuln/detail/CVE-2022-23409
plugins.craftcms.com/logs
sec-consult.com/vulnerability-lab/

Detect and mitigate CVE-2022-23409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →