Unauthenticated Path Traversal in kareadita/kavita
Aug 6th 2022
A unauthenticated user can read and download files of the application system by abusing the
filename parameter, of the
/api/image/cover-uploadendpoint, that is not properly sanitized.
Proof of Concept
1 - Send the following request, where the
filename has the relative path of the target file.
GET /api/image/cover-upload?filename=<filename> Host: localhost:5000
An unauthenticated attacker can read many files, like configuration, backup, logs and database files, that contain sensitive information about the system, the application and its users.