CVE-2019-10767

HIGH

iobroker.js-controller < 2.0.25 - Path Traversal via Adapter File Request

Title source: llm
STIX 2.1

Description

An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0216
EPSS Percentile 79.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
iobroker/iobroker.js-controller < 2.0.25
npm/iobroker.js-controller 0 - 2.0.25npm
Published Nov 21, 2019
Tracked Since Feb 18, 2026