FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dino -- Path traversal in Dino file transfers

Affected packages
dino < 0.2.1

Details

VuXML ID fc1bcbca-c88b-11eb-9120-f02f74d0e4bd
Discovery 2021-06-07
Entry 2021-06-08

Dino team reports:

It was discovered that when a user receives and downloads a file in Dino, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.

[source]

References

CVE Name CVE-2021-33896
Message 392f934a-f937-7b29-5f7f-5df3ee60d8a8@.larma.de
URL https://dino.im/security/cve-2021-33896/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.