TMS Management Console Path Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A path traversal vulnerability has been identified in TMS Management Console version 6.3.7.27386.20250818. The issue arises in the 'Download Template' function within the profile dashboard, where the filePath parameter fails to properly sanitize directory traversal sequences. This flaw enables authenticated users to read arbitrary files, including sensitive server configuration files like Web.config.
Impact
Exploitation of this vulnerability allows for arbitrary file read access, potentially leading to exposure of sensitive information such as server configuration details.
Reproduction
To reproduce this vulnerability, an authenticated user must navigate to the Import page via the profile dashboard. The 'Download Template' feature will trigger the '/Home/DownloadFileByPath' API. By injecting a path traversal payload, such as '../Web.config', into the filePath parameter, the server's Web.config file can be downloaded, or other sensitive information from internal documents can be extracted.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.