Advisories for Maven/Uk.ac.ed.ph.qtiworks/Qtiworks-Engine package

2022

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files into other locations in the filesystem if they are writable by the process running the QTIWorks Engine. In extreme cases, this could allow anonymous …