lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal

The vulnerability resides in the DownloadFileRequestHandler class located at web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java in the lsFusion platform up to version 6.1 [1]. The issue is a path traversal flaw: the handleRequest method accepts a version parameter without proper validation. When an attacker requests the endpoint /file/static/noauth (with no trailing path), the filename is constructed solely from this unvalidated version parameter and appended directly to FileUtils.APP_DOWNLOAD_FOLDER_PATH, bypassing the path restrictions applied to other API patterns [3].

Exploitation is straightforward and does not require authentication. The /file/static/noauth/** endpoint is designed to serve logos and icons without authentication. By sending a request to /file/static/noauth and including directory traversal sequences (e.g., ../) in the version parameter, an attacker can force the application to read arbitrary files from the server's filesystem [3]. The exploit technique has been publicly disclosed, increasing the risk of active attacks.

The impact is unauthorized disclosure of sensitive files on the server, potentially including configuration files, application source code, credentials, or other data stored in files accessible to the lsFusion process. The CVSS severity has not been officially assigned by NVD at the time of writing, but the vector suggests high confidentiality impact [2].

As of the latest available information, the vulnerability affects lsFusion versions ≤6.1. The lsFusion project is open source and hosted on GitHub [1]. Users should update to a patched version if available, or apply input validation to the version parameter and restrict access to the /file/static/noauth endpoint to mitigate the risk. No official patch has been documented in the provided references, so users must monitor the vendor's repository for fixes.