Arbitrary Folder Creation Vulnerability
A critical vulnerability in version 20240410 allows attackers to create arbitrary folders at any location on the server, including the root directory. This issue has not yet been patched.
Available publicly on Jul 10 2024
Threat Overview
The vulnerability allows an attacker to create an unlimited number of arbitrary folders in any location on the server, including the root directory. This can lead to resource exhaustion, denial of service (DoS), server unavailability, and potential data loss or corruption. The vulnerability is exploited by intercepting and modifying a specific HTTP POST request to include the desired folder location.
Attack Scenario
An attacker intercepts the HTTP POST request made when refreshing a conversation on the homepage. By modifying the request to specify a folder location, the attacker can create folders anywhere on the server. Repeating this process can lead to resource exhaustion and potentially bring down the server.
Who is affected
Any server running version 20240410 of the software is vulnerable. This includes administrators and users who rely on the server for critical services.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.