Arbitrary File Download Vulnerability in Tipask < 3.5.9
CVE-2021-41714 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.
Learn more about our Cis Benchmark Audit For Server Software.