FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dino -- Path traversal in Dino file transfers

Affected packages
dino < 0.2.1


VuXML ID fc1bcbca-c88b-11eb-9120-f02f74d0e4bd
Discovery 2021-06-07
Entry 2021-06-08

Dino team reports:

It was discovered that when a user receives and downloads a file in Dino, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.


CVE Name CVE-2021-33896