Impact

• Remote attacker is able to read local files from the server that can disclose important information.

Patches

• This issue has been fixed by adding .replace('..', '') function into the argument Path. that will remove all path traversal payloads

Workarounds

• If you want to fix this without the update, just open app.py and add .replace('..', '') into the Path variable inside of the recon function there.

Credits:

• All credits for finding and disclosing this issue goes to @Ry0taK

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]