Primary

Context

upset-gal-web Arbitrary File Read Vulnerability

Vulnerability

A directory traversal vulnerability allowing arbitrary file read has been identified in upset-gal-web version 7.1.0. The issue resides in the file '/api/music/v1/cover.ts'.

Impact

Exploitation of this vulnerability allows for arbitrary file reading on the server, which could lead to the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/api/music/v1/cover' with a 'cover' parameter that includes a directory traversal payload, such as '../../../../../../../etc/passwd'. This request will bypass normal file access restrictions and read the specified file.

Remediation

Users are advised to update to the latest version of upset-gal-web where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

upset-gal-web Arbitrary File Read Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating