CVE-2023-26563

CRITICAL

Syncfusion EJ2 Node File Provider 0102271 - Path Traversal

Title source: llm

Description

The Syncfusion EJ2 Node File Provider 0102271 is vulnerable to filesystem-server.js directory traversal. As a result, an unauthenticated attacker can: - On Windows, list files in any directory, read any file, delete any file, upload any file to any directory accessible by the web server. - On Linux, read any file, download any directory, delete any file, upload any file to any directory accessible by the web server.

Exploits (1)

nomisec WRITEUP

by RupturaInfoSec · poc

https://github.com/RupturaInfoSec/CVE-2023-26563-26564-26565

View Code ZIP pw:eip

References (3)

[Product] https://ej2.syncfusion.com/documentation/file-manager/file-system-provider/

[Exploit] https://github.com/RupturaInfoSec/CVE-2023-26563-26564-26565/

[Product] https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem

Scores

CVSS v3 9.8

EPSS 0.0128

EPSS Percentile 79.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

syncfusion/nodejs_file_system_provider 0102271

Published Jul 12, 2023

Tracked Since Feb 18, 2026