Path traversal in FreeTAKServer-UI
An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system.
Advisories for Pypi/FreeTAKServer-UI package
2022
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Callsign parameter.
Exposure of Sensitive Information to an Unauthorized Actor in FreeTAKServer-UI
FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys.