GHSA-277h-px4m-62q8: @saltcorn/server arbitrary file zip read and download when downloading auto backups

October 3, 2024

A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to res.download API.

References

github.com/advisories/GHSA-277h-px4m-62q8
github.com/saltcorn/saltcorn
github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js
github.com/saltcorn/saltcorn/commit/024f19a7e079913f62f4a2335ab04116ddb68192
github.com/saltcorn/saltcorn/security/advisories/GHSA-277h-px4m-62q8

Detect and mitigate GHSA-277h-px4m-62q8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →