CVE-2023-35844: packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure...

0.0 CVSS

Description

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.

Classification

CVE ID: CVE-2023-35844

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: n/a

Product: n/a

Nuclei Template

http/cves/2023/CVE-2023-35844.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 23.0% (probability of being exploited)

EPSS Percentile: 96.61% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://advisory.dw1.io/59
https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c
https://github.com/lightdash/lightdash/compare/0.510.2...0.510.3
https://github.com/lightdash/lightdash/pull/5090

Timeline

2024-12-12 00:30:43 UTC
CVE

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure...