Description
util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an attachment's name. If an attacker places "../" in the file name, the file can be stored in an unintended directory because of Directory Traversal.
Remediation
References
https://github.com/lingochamp/FileDownloader/issues/1028
Related Vulnerabilities
CVE-2021-4245 Vulnerability in maven package org.webjars.npm:rfc6902
CVE-2019-8331 Vulnerability in maven package org.webjars.npm:bootstrap
CVE-2019-1003048 Vulnerability in maven package com.programmingresearch:prqa-plugin
CVE-2021-23358 Vulnerability in maven package org.webjars.npm:underscore
CVE-2022-4137 Vulnerability in maven package org.keycloak:keycloak-themes