CVE-2019-17199

HIGH

Webpagetest - Path Traversal

Title source: rule

Description

www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring.

Exploits (1)

metasploit WORKING POC

by dun, sinn3r · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/webpagetest_traversal.rb

View Code ZIP pw:eip

References (1)

[Exploit, Patch, Third Party Advisory] https://github.com/WPO-Foundation/webpagetest/pull/1299

Scores

CVSS v3 7.5

EPSS 0.5765

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-22

Status published

Affected Products (1)

webpagetest/webpagetest

Timeline

Published Oct 05, 2019

Tracked Since Feb 18, 2026