Ethercreative Logs 3.0.3 - Path Traversal

vendor:

Ethercreative Logs plugin for Craft CMS

by:

Steffen Rogge, SC

4.1

CVSS

MEDIUM

Path Traversal

CWE

Product Name: Ethercreative Logs plugin for Craft CMS

Affected Version From: <=3.0.3

Affected Version To: 3.0.3

Patch Exists: YES

Related CWE: CVE-2022-23409

CPE: a:ethercreative:logs

Metasploit:

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=14641, https://www.infosecmatter.com/nessus-plugin-library/?id=16209, https://www.infosecmatter.com/nessus-plugin-library/?id=13319, https://www.infosecmatter.com/nessus-plugin-library/?id=67163

Platforms Tested: Linux

2022

Ethercreative Logs 3.0.3 – Path Traversal

The Ethercreative Logs plugin for Craft CMS 3.0.3 allows authenticated users to perform a path traversal attack via the 'Logs' functionality. This vulnerability (CVE-2022-23409) enables an attacker to access arbitrary files on the file system with the permissions of the web service user by manipulating the requested log file.

Mitigation:

Users are advised to update to version 3.0.4 or later as soon as possible to mitigate this vulnerability.

Source

Ethercreative Logs 3.0.3 – Path Traversal

Mitigation:

Exploit-DB raw data: