Impact
An issue in Zhoros SuperBin version 1.0.0 permits attackers to inject path traversal characters in file names during an operation that saves or handles files. This flaw allows the attacker to reference directories outside the intended scope, potentially reading or writing sensitive files on the target system as the program’s user. The weakness is classified as CWE‑22, indicating an improper limitation on a pathname. The resulting impact is the unauthorized disclosure, modification, or deletion of files that should otherwise be protected.
Affected Systems
The affected product is Zhoros SuperBin, specifically the 1.0.0 release. Vendor details are not publicly identified in the CVE advisory. No other product versions are noted as affected.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% shows a very low probability that this flaw is actively exploited in the wild at this time, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves an attacker sending a specially crafted file name to the application’s file handling component; the vulnerability would be exploitable if the application accepts arbitrary file names without sanitization and writes them to the file system. The exploit requires the application to be running on the target host and the attacker to have access to the file upload or naming input surface, but no elevated privileges are necessary if the application runs with sufficient rights to the destination directories. Once the path traversal is achieved, the attacker can read or modify any file within the application’s filesystem context, which could lead to credential leakage or arbitrary code execution if configuration files are altered.
OpenCVE Enrichment