Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
Vulnerability Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
使用不正确的解析名称或索引
Vulnerability Title
File Browser 安全漏洞
Vulnerability Description
File Browser是File Browser开源的一个文件管理界面,在指定的目录,它可以用来上传,删除,预览和编辑文件。 File Browser 2.57.1之前版本存在安全漏洞,该漏洞源于可通过修改请求URL绕过文件路径规则,可能导致未经授权访问受限文件。
CVSS Information
N/A
Vulnerability Type
N/A