rtcmulticonnection-client is a signaling implementation for RTCMultiConnection.js, a multi-session manager. rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
PARTIAL
Integrity
NONE
Availability
NONE
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.5 ~~~node.js~~ (not an official CPE)
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.4 ~~~node.js~~ (not an official CPE)
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.3 ~~~node.js~~ (not an official CPE)
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.2 ~~~node.js~~ (not an official CPE)
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.1 ~~~node.js~~ (not an official CPE)
Rtcmulticonnection-client project Rtcmulticonnection-client 1.0.0 ~~~node.js~~ (not an official CPE)
| Advisory | Patch | Confirmed | Link |
|---|---|---|---|
| https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/di... | |||
| https://nodesecurity.io/advisories/385 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)
Related CAPEC 7
Relative Path Traversal (CAPEC-ID 139)
Directory Traversal (CAPEC-ID 213)
File System Function Injection, Content Based (CAPEC-ID 23)
Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64)
Manipulating Input to File System Calls (CAPEC-ID 76)
Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78)
Using Slashes in Alternate Encoding (CAPEC-ID 79)