Directory Traversal Vulnerability in GibbonEdu Gibbon (Version 25.0.0) Allows Arbitrary File Creation

Directory Traversal Vulnerability in GibbonEdu Gibbon (Version 25.0.0) Allows Arbitrary File Creation

CVE-2023-45880 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

Learn more about our Web App Pen Testing.