CVE-2019-16511

MEDIUM

FireGiant WiX Toolset <3.11.2 - Path Traversal

Title source: llm
STIX 2.1

Description

An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2. Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll allow directory traversal during CAB or ZIP archive extraction, because the full name of an archive file (even with a ../ sequence) is concatenated with the destination path.

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/wixtoolset/issues/issues/6075
Third Party Advisory x_refsource_misc
https://wixtoolset.org/development/wips/6075-dtf-zip-slip/
Patch, Vendor Advisory x_refsource_misc
https://www.firegiant.com/blog/2019/9/18/wix-v3.11.2-released/

Scores

CVSS v3 5.5
EPSS 0.0153
EPSS Percentile 71.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
firegiant/wix_toolset < 3.11.2
Published Sep 19, 2019
Tracked Since Feb 18, 2026