Showing posts from June, 2021

ScaffoldHub arbitrary file read vulnerability

When conducting a security code audit for one my clients, I found an arbitrary file read due to path traversal in scaffoldhub , the vulnerability is in the local file storage strategy. I have fixed the vulnerability for my client since it was my first priority and then I responsibly disclosed this vulnerability to Felipe Lima  the owner of the project on discord who acted quickly and in less than 2 hours patched [1] the issue and emailed his clients about the fix. Felipe also kindly gave me a developer subscription to scaffoldhub so I guess I'm obliged to use it for my next web project! [1] Felipe's patch: