Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory
Vulnerability Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
File Browser 信息泄露漏洞
Vulnerability Description
File Browser是File Browser开源的一个文件管理界面,在指定的目录,它可以用来上传,删除,预览和编辑文件。 File Browser 2.61.0之前版本存在信息泄露漏洞,该漏洞源于创建目录的公共共享链接时,http/public.go中的withHashFile中间件使用filepath.Dir(link.Path)计算BasePathFs根目录,可能导致拥有共享链接的任何人都能浏览和下载所有同级目录中的文件。
CVSS Information
N/A
Vulnerability Type
N/A