CVE-2023-26563

The Syncfusion EJ2 Node File Provider 0102271 is vulnerable to filesystem-server.js directory traversal. As a result, an unauthenticated attacker can: - On Windows, list files in any directory, read any file, delete any file, upload any file to any directory accessible by the web server. - On Linux, read any file, download any directory, delete any file, upload any file to any directory accessible by the web server.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Common Weakness Enumeration
References
https://ej2.syncfusion.com/documentation/file-manager/file-system-provider/
https://github.com/RupturaInfoSec/CVE-2023-26563-26564-26565/
https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem
https://ej2.syncfusion.com/documentation/file-manager/file-system-provider/
https://github.com/RupturaInfoSec/CVE-2023-26563-26564-26565/
https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem