MyCVE
  • Cylos
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting in undefined enum (CVE-2021-31674)
    • Cyclos 4.14.7 - Dom-based Cross-Site Scripting (CVE-2021-31673)
  • nopCommerce
    • Open Redirect on nopCommerce 4.50.1
    • Security issues in nopCommerce 4.50.1
  • SmartVista
    • SmartVista Cardgen
      • Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)
      • Path traversal in SmartVista Cardgen version 3.28.0 (CVE-2022-38613)
      • List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)
    • SmartVista SVFE2
      • SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)
      • SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38616)
  • CraftCMS
    • Server-Site Template Injection on CraftCMS 3.8.1
Powered by GitBook
On this page
  1. SmartVista
  2. SmartVista Cardgen

List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)

CVE-2022-38614

Exploit Title: Business Logic lead to list all files in arbitrary folder in SmartVista Cardgen version 3.28.0

Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services

Vendor Homepage: https://www.bpcbt.com/smartvista-solutions/

Affected Version(s): SmartVista Cardgen version 3.28.0

Description: At SmartVista Cardgen version 3.28.0, an authenticated user can abuse IGB Files (or OutfileService) feature to list and download all files in arbitrary folder by modifying value of PATH to target folder at System Directories feature

Steps to reproduce:

- Step 1: At menu System -> System Directories, an authenticated user can modify IBGFormatter SERVICE (or OutfileService) to specific directory in PATH parameter.

- Step 2: Access https://[URL]/svcl/pages/services/ibgformatter/ibgfiles.xhtml (menu CardGen -> Services -> IBG Formatter -> IBG Files) to see the result

PreviousPath traversal in SmartVista Cardgen version 3.28.0 (CVE-2022-38613)NextSmartVista SVFE2

Last updated 2 years ago