← Back

CVE-2023-26559

nvd nist
Published: Apr 14, 2023Modified: Feb 7, 2025

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)

Affected (4)

Sync
2 products
Oxygen Content Fusion
Oxygen Xml Web Author
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Oxygen Content Fusion
Before 5.0.3
Sync
Oxygen Xml Web Author
Before 23.1.1.4
Oxygen Xml Web Author
From 24.0.0.0 to 24.1.0.3
Oxygen Xml Web Author
From 25.0.0.0 to 25.1.0.3

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

Source: cve@mitre.org
Product
Source: cve@mitre.org
MitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Product
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory

Timeline

No history available yet.