Directory Traversal Vulnerability in GibbonEdu Gibbon (Version 25.0.0) Allows Arbitrary File Creation
CVE-2023-45880 · HIGH Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.
Learn more about our Web App Pen Testing.