Primary

Context

AllSky Path Traversal Vulnerability Allowing Web Shell Creation and Remote Code Execution

Vulnerability

A path traversal vulnerability has been identified in AllSky version 2023.05.01_04. This vulnerability allows an unauthenticated attacker to create a web shell and execute remote code by exploiting the 'path' and 'content' parameters in the '/includes/save_file.php' script.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the server where AllSky is running.

Reproduction

To reproduce this vulnerability, send a POST request to '/includes/save_file.php' with the 'path' parameter set to a traversable path and the 'content' parameter containing the code to be executed. The 'path' can be a web alias that the script will resolve to a physical file path on the server.

Added: Aug 19, 2025, 7:29 PM

Updated: Aug 19, 2025, 8:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.4

remediation

0.0

relevance

0.4

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.4

remediation

0.0

relevance

0.4

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AllSky Path Traversal Vulnerability Allowing Web Shell Creation and Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating