Profisee Path Traversal Vulnerability in File Attachment Service

A path traversal vulnerability has been identified in the Profisee platform, specifically in versions 2020R1 prior to 2024R2. This vulnerability arises from improper input validation in the filesystem modules, allowing authenticated users to manipulate file paths and access files outside the intended directory structure. Successful exploitation requires valid Profisee credentials and knowledge of the system, targeting the File Attachment service via crafted API calls.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, such as configuration or system files, and potentially allow modification of these files, compromising the system.

Remediation

Profisee has developed a fix for this vulnerability, which will be included in the upcoming 25R0 release. Hotfixes are being back-ported for all supported versions, as well as 22R2 (out of support). Self-hosted customers can access the hotfix files through the Profisee support portal or via updated container images published to Profisee's container registry. For SaaS customers, the hotfix will be automatically deployed during the next maintenance window, with the option to request an earlier deployment.