CVE-2019-13915
Description
b3log Wide before 1.6.0 has three file access vulnerabilities: code execution, symlink in ZIP, and symlink in Git import, allowing arbitrary file read/write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
b3log Wide before 1.6.0 has three file access vulnerabilities: code execution, symlink in ZIP, and symlink in Git import, allowing arbitrary file read/write.
Vulnerability
Overview
b3log Wide before version 1.6.0 contains three distinct attack vectors that allow an attacker to access arbitrary files on the server. The root cause is insufficient validation of user-supplied code and archive contents, combined with the ability to execute code and import ZIP or Git repositories [1][2].
Exploitation
Details
First, an attacker can write arbitrary code in the editor, compile it, and run it approximately three times to read any file on the system. Second, an attacker can create a symbolic link (symlink) and place it into a ZIP archive; when Wide unzips the archive, it follows the symlink, granting read and potentially write access to the target file. Third, importing a Git repository that contains a symlink similarly leads to read and write access to the symlink target [2].
Impact
Successful exploitation allows an attacker to read sensitive files (e.g., configuration, credentials) and, depending on file permissions, write to arbitrary files. This could lead to privilege escalation, data exfiltration, or remote code execution in the context of the Wide application.
Mitigation
The vulnerabilities are fixed in b3log Wide version 1.6.0. Users should upgrade to this version or later. No workarounds are documented; upgrading is the recommended action [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/b3log/wideGo | < 1.6.0 | 1.6.0 |
Affected products
2- b3log/Widedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6452-jr93-r5qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-13915ghsaADVISORY
- github.com/b3log/wide/issues/355ghsax_refsource_MISCWEB
- sca.analysiscenter.veracode.com/vulnerability-database/security/arbitrary-file-reads-and-writes/go/sid-20862ghsaWEB
- web.archive.org/web/20190522035724/https://github.com/b3log/wideghsaWEB
News mentions
0No linked articles in our index yet.