ScaffoldHub arbitrary file read vulnerability

When conducting a security code audit for one my clients, I found an arbitrary file read due to path traversal in scaffoldhub, the vulnerability is in the local file storage strategy.

I have fixed the vulnerability for my client since it was my first priority and then I responsibly disclosed this vulnerability to Felipe Lima the owner of the project on discord who acted quickly and in less than 2 hours patched [1] the issue and emailed his clients about the fix.

Felipe also kindly gave me a developer subscription to scaffoldhub so I guess I'm obliged to use it for my next web project!


[1] Felipe's patch: https://gist.github.com/felipepastorelima/46e78f4201c2efc803c276d0da0fc211

Comments