CVE-2018-7719

Vulnerability

Acrolinx Server versions before 5.2.5 on Windows are vulnerable to a directory traversal attack. The Acrolinx Dashboard component fails to properly sanitize user-supplied path input, allowing an attacker to traverse directories using backslash sequences (e.g., ..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini) [1]. The vulnerability is present in the default installation and does not require any special configuration to be reachable.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the Acrolinx Dashboard endpoint. No authentication is required. The attacker simply appends a directory traversal payload to the URL, such as http://localhost/..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini [1]. The server then returns the contents of the requested file.

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the Windows file system. This can lead to disclosure of sensitive information, including configuration files, credentials, or other data stored on the server. The attacker gains read access at the privilege level of the Acrolinx service account.

Mitigation

The vulnerability is fixed in Acrolinx Server version 5.2.5 and later [1]. Users should upgrade to the latest version. No workarounds are documented in the available references. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.