CVE-2021-41714
Description
In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Tipask/Tipaskdescription
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of path traversal sequences (`..`) in user-supplied filename parameters allows arbitrary file read."
Attack vector
An authenticated user sends a crafted HTTP request to the attachment download endpoint, supplying a path traversal payload (e.g., `../../../.env`) in the `image_name` parameter. Because the application does not strip `..` sequences before constructing the file path, the server reads and returns files outside the intended storage directory. This allows the attacker to leak sensitive files such as `.env`, `/etc/passwd`, or `laravel.log`. [ref_id=1]
Affected code
The vulnerability resides in the `avatar()` and `show()` methods of the `ImageController` class in Tipask. The `show()` method passes user-supplied `$image_name` directly into `storage_path()` without sanitizing path traversal sequences (`..`), allowing an authenticated user to read arbitrary files on the server. The `avatar()` method had the same flaw in the `$avatar_name` parameter. [ref_id=1]
What the fix does
The patch adds `$fileName = str_replace("..","",$image_name);` (and the equivalent for `avatar_name`) to strip directory traversal sequences from user input before it is used to build the file path. This prevents an attacker from escaping the intended storage directory. The same sanitization is applied to the watermark check to ensure the comparison uses the cleaned filename. [ref_id=1]
Preconditions
- authThe attacker must be a registered user of the Tipask application.
- networkThe attacker must have network access to the attachment download endpoint.
- inputThe attacker supplies a path traversal sequence (e.g., `../`) in the `image_name` or `avatar_name` parameter.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/sdfsky/tipask/blob/c4e6aa9f6017c9664780570016954c0922d203b7/app/Http/Controllers/AttachController.phpmitrex_refsource_MISC
- github.com/sdfsky/tipask/commit/9b5f13d1708e9a5dc0959cb8a97be1c32b94ca69mitrex_refsource_MISC
- www.yuque.com/henry-weply/penetration/fza5hmmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.