CVE-2019-17199

HIGH

Webpagetest - Path Traversal

Title source: rule

Description

www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring.

Exploits (1)

metasploit WORKING POC

by dun, sinn3r · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/webpagetest_traversal.rb

View Code ZIP pw:eip

References (1)

[Exploit, Patch, Third Party Advisory] https://github.com/WPO-Foundation/webpagetest/pull/1299

Scores

CVSS v3 7.5

EPSS 0.5765

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

webpagetest/webpagetest 19.04

Published Oct 05, 2019

Tracked Since Feb 18, 2026