List all files in arbitrary folder in SmartVista Cardgen version 3.28.0 (CVE-2022-38614)

CVE-2022-38614
Exploit Title: Business Logic lead to list all files in arbitrary folder in SmartVista Cardgen version 3.28.0
Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
Vendor Homepage: https://www.bpcbt.com/smartvista-solutions/
Affected Version(s): SmartVista Cardgen version 3.28.0
Description: At SmartVista Cardgen version 3.28.0, an authenticated user can abuse IGB Files (or OutfileService) feature to list and download all files in arbitrary folder by modifying value of PATH to target folder at System Directories feature
Steps to reproduce:
- Step 1: At menu System -> System Directories, an authenticated user can modify IBGFormatter SERVICE (or OutfileService) to specific directory in PATH parameter.
- Step 2: Access https://[URL]/svcl/pages/services/ibgformatter/ibgfiles.xhtml (menu CardGen -> Services -> IBG Formatter -> IBG Files) to see the result

Path traversal in SmartVista Cardgen version 3.28.0 (CVE-2022-38613)

SmartVista SVFE2

Last modified 1yr ago