Vulnerability Details CVE-2023-35844
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.063
EPSS Ranking 92.7%
CVSS Severity
CVSS v3 Score 7.5
References
- https://advisory.dw1.io/59
- https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c
- https://github.com/lightdash/lightdash/compare/0.510.2...0.510.3
- https://github.com/lightdash/lightdash/pull/5090
- https://advisory.dw1.io/59
- https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c
- https://github.com/lightdash/lightdash/compare/0.510.2...0.510.3
- https://github.com/lightdash/lightdash/pull/5090