CVE-2018-14573

Published: Jul 23, 2018Modified: Nov 21, 2024

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A Local File Inclusion (LFI) vulnerability exists in the Web Interface API of TightRope Media Carousel Digital Signage before 7.3.5. The RenderingFetch API allows for the downloading of arbitrary files through the use of directory traversal sequences, aka CSL-1683.

Affected (1)

Products: Trms: Tightrope Media Carousel Digital Signage

1 product

Tightrope Media Carousel Digital Signage

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Trms Tightrope Media Carousel Digital Signage	Before 7.3.5

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

http://release-notes.trms.com/txt/448

Source: cve@mitre.org

Not ApplicableThird Party Advisory

http://release-notes.trms.com/txt/448

Source: af854a3a-2127-422b-91ae-364da2661108

Not ApplicableThird Party Advisory

Timeline

No history available yet.