YiJiuSmile kkFileViewOfficeEdit Path Traversal Vulnerability in Online Preview Function
Vulnerability
A critical path traversal vulnerability has been identified in YiJiuSmile kkFileViewOfficeEdit versions prior to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. The issue arises in the onlinePreview function, where improper handling of the url argument allows for traversal of the file system. This vulnerability can be exploited remotely, potentially leading to unauthorized access to sensitive files.
Impact
Exploitation of this vulnerability allows for arbitrary file reading, which could expose sensitive information from the server.
Reproduction
To reproduce this vulnerability, send a request to the /onlinePreview endpoint with a crafted url parameter that includes directory traversal sequences. The request will bypass normal file access restrictions and read files from the server's file system. For example, the url parameter could be set to file:///E:/aut/kkFileViewOfficeEdit-master/kkFileViewOfficeEdit-master/jodconverter-web/src/main/resources/application-prod.properties to access a specific properties file.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.