Description
An issue was discovered in Sysax Multi Server 6.90. An attacker can determine the username (under which the web server is running) by triggering an invalid path permission error. This bypasses the fakepath protection mechanism.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/wrongsid3
Exploit, Third Party Advisory x_refsource_misc
https://pasteboard.co/J9eF12G.png
Exploit, Third Party Advisory x_refsource_misc
https://github.com/wrongsid3/Sysax-MultiServer-6.90-Multiple-Vulnerabilities/blob/master/README.md
Scores
CVSS v3
5.3
EPSS
0.0187
EPSS Percentile
76.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
sysax/multi_server
6.90
Published
Jun 02, 2020
Tracked Since
Feb 18, 2026