漏洞描述
node-red是一个低代码开发系统,在代码托管平台有15k的star,node-red-contrib-humagic 3.0.0 受res.sendFile API 中的 hue/assets/..%2F Directory Traversal.in 的影响,在文件 hue-magic.js中使用,以获取任意文件。
node-red-contrib-humagic 3.0.0任意文件读取(CVE-2021-25864)
PoC代码
暂无相关漏洞推荐
- POC CVE-2006-3392: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
- POC CVE-2011-3600: Apache OFBiz - XML External Entity Injection
- POC CVE-2015-8350: WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
- POC CVE-2016-15043: WP Mobile Detector <= 3.5 - Unrestricted File Upload
- POC CVE-2017-11107: phpLDAPadmin <= 1.2.3 - Reflected XSS
- POC CVE-2019-11253: Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
- POC CVE-2019-15823: WPS Hide Login <= 1.5.2.2 - Login Page Bypass
- POC CVE-2019-9082: ThinkPHP < 3.2.4 - Remote Code Execution
- POC CVE-2020-12832: WordPress Simple File List - Path Traversal
- POC CVE-2020-13125: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
- POC CVE-2021-24213: GiveWP <= 2.9.7 - Cross-Site Scripting
- POC CVE-2021-3007: Laminas Project laminas-http - Remote Code Execution
- POC CVE-2021-33829: Drupal 7 CKEditor XSS