How severe is CVE-2020-15097?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2020-15097?

This is classified as CWE-22, which is a common weakness in software security.

CVE-2020-15097 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, a path traversal vulnerability exists. Insufficient input validation in the APIs exposed by the loklak server allowed a directory traversal vulnerability. Any admin configuration and files readable by the app available on the hosted file system can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application. This has been patched in commit 50dd692. Users will need to upgrade their hosted instances of loklak to not be vulnerable to this exploit.

Related Vulnerabilities

CVE-2012-6664

CRITICAL

CVSS:9.1(Critical)

Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get ...

CWE-222012

CVE-2014-10390

CRITICAL

CVSS:9.1(Critical)

The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has directory traversal.

CWE-222014

CVE-2014-3702

CRITICAL

CVSS:9.1(Critical)

Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot ...

CWE-222014

CVE-2015-4068

CRITICAL

CVSS:9.1(Critical)

Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFile...

CWE-222015

CVE-2015-5609

CRITICAL

CVSS:9.1(Critical)

Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote attackers to read and delete arbitrary files via a full pathname in the file parameter to download.php.

CWE-222015

CVE-2015-9277

CRITICAL

CVSS:9.1(Critical)

MailEnable before 8.60 allows Directory Traversal for reading the messages of other users, uploading files, and deleting files because "/../" and "/.. /" are mishandled.

CWE-222015