Arbitrary File Download Vulnerability in Tipask < 3.5.9

Arbitrary File Download Vulnerability in Tipask < 3.5.9

CVE-2021-41714 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.

Learn more about our Cis Benchmark Audit For Server Software.