N/A

A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

路径遍历：’../filedir’

OpenSlides 安全漏洞

OpenSlides是OpenSlides开源的一个免费的、基于网络的演示和集会系统。用于管理和投影集会的议程、动议和选举。 OpenSlides 4.2.5之前版本存在安全漏洞，该漏洞源于文件上传功能中的目录遍历问题，可能导致本地文件被覆盖。

N/A

N/A