CVE-2025-34508
Description
A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in ZendTo file dropoff functionality allows authenticated attackers to read other users' files, access host system files, or cause denial of service.
Root
Cause A path traversal vulnerability (CWE-22) exists in ZendTo's file dropoff functionality due to insufficient sanitization of the "chunkName" parameter during the processing of dropoff requests [1][2]. This allows an attacker to specify arbitrary file paths.
Exploitation
An authenticated attacker can craft HTTP requests to supply malicious chunkName values that traverse directories, bypassing intended access controls. No special privileges beyond a valid user account are required [1].
Impact
Successful exploitation enables the attacker to read files from other users' dropoffs, access arbitrary files on the host system, or cause a denial of service by manipulating file paths [2].
Mitigation
The vulnerability is patched in Zendto version 6.15-8. All users are strongly recommended to upgrade immediately [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.