Givanz Vvveb Information Disclosure Vulnerability in Drag-and-Drop Editor Component

An information disclosure vulnerability has been identified in Givanz Vvveb versions through 1.0.5. The issue resides in the Drag-and-Drop Editor component, specifically within the file '/vadmin123/index.php?module=editor/editor'. The vulnerability is triggered by manipulating the 'url' argument, which allows for unauthorized file read access. This issue can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files from the server, potentially including sensitive information or application configuration details.

Reproduction

To reproduce this vulnerability, log in as a user with access to the 'Edit website' feature. Then, navigate to the endpoint '/vadmin123/index.php?module=editor/editor&url=/&template=index.html'. After accessing this endpoint, change the 'url' parameter to point to specific files, such as 'package.json' or 'tools/systeminfo.html', which can be read due to the vulnerability.

Remediation

Users are advised to upgrade to Givanz Vvveb version 1.0.6, which addresses this vulnerability.