CVE-2022-38731

MEDIUM

Qaelum DOSE 18.08-21.1 - Directory Traversal via loadimages name parameter

Title source: llm

Description

Qaelum DOSE 18.08 through 21.1 before 21.2 allows Directory Traversal via the loadimages name parameter. It allows a user to specify an arbitrary location on the server's filesystem from which to load an image. (Only images are displayed to the attacker. All other files are loaded but not displayed.) The Content-Type response header reflects the actual content type of the file being requested. This allows an attacker to enumerate files on the local system. Additionally, remote resources can be requested via a UNC path, allowing an attacker to coerce authentication out from the server to the attackers machine.

References (2)

Core 2

Core References

Product

https://qaelum.com/solutions/dose

Third Party Advisory

https://www.pwc.co.uk/issues/cyber-security-services/research/ethical-hacking-team-discovered-zero-day-vulnerability.html

Scores

CVSS v3 4.3

EPSS 0.0073

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

qaelum/dose 18.08 - 21.2

Published Feb 16, 2023

Tracked Since Feb 18, 2026