{"vulnerability": "cve-2023-40274", "sightings": [{"uuid": "08f8e825-f7d8-4680-bfd9-912212758d12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-40274", "type": "seen", "source": "https://t.me/cibsecurity/68413", "content": "\u203c CVE-2023-40274 \u203c\n\nAn issue was discovered in zola 0.13.0 through 0.17.2. The custom implementation of a web server, available via the \"zola serve\" command, allows directory traversal. The handle_request function, used by the server to process HTTP requests, does not account for sequences of special path control characters (../) in the URL when serving a file, which allows one to escape the webroot of the server and read arbitrary files from the filesystem.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-14T07:19:02.000000Z"}]}