Iobroker: Security Vulnerabilities
Characters in the GET url path are not properly escaped and can be reflected in the server response.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-11-25
An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).
CVSS Score
7.5
EPSS Score
0.006
Published
2019-11-21
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-11-20