Path Traversal in mucommander/mucommander


Reported on

Feb 19th 2021

:book: Description

mucommander A lightweight, cross-platform file manager with a dual-pane interface. This package is vulnerable for zip-slip.

:recycle: Steps To Reproduce-:

  1. download and run latest release from
  2. unpack given zip file . example used :

:telescope: POC

💥 Impact

zip-slip (Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution)

Arik Hadas validated this vulnerability a year ago
Abdul muhaimin has been awarded the disclosure bounty
The fix bounty is now up for grabs
Arik Hadas marked this as fixed with commit d1ae0d a year ago
Simon Siebert has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation