Advisories for Composer/Melisplatform/Melis-Asset-Manager package

2022

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of melisplatform/melis-asset-manager, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-asset-manager >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.