Error type:
CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerability vector:
Base vulnerability score (CVSSv4.0): CVSS:4.0/ AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Severity (CVSSv4.0): 8.9 (High)
Description:
The vulnerability was identified in Booco, version Server v2.38.3.
The discovered vulnerability allows an attacker to supply a relative path in a parameter, which results in a new file being created (or an existing file being overwritten) in any directory of the file system.
Vulnerability status: Confirmed by vendor
Date of vulnerability remediation: 12.08.2025
Recommendations:
- Update to version 2.41.0 or higher
Additional information: Release notes
Researcher: Vsevolod Dergunov (Positive Technologies)
Identifiers:
BDU:2025-08816
Vulnerable product:
Booco
Vulnerable versions:
Server v2.38.3