Published: 07/06/2021 Updated: 17/06/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

Dino prior to 0.1.2 and 0.2.x prior to 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dino dino

fedoraproject fedora 33

fedoraproject fedora 34

Vendor Advisories

It was discovered that when a user receives and downloads a file in Dino before version 021, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user This vulnerability does not allow to overwrite or modify existing files and the attacker can ...

Mailing Lists

### Affected software Dino (Instant Messenger) - dinoim/ ### Severity Medium (47): AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N ### Affected versions - Release version 020 - Release version 011 and earlier - Nightly version 020~git113202106011ac16ecd and earlier ### Fixed versions - Release version 021 - Release version 012 - Nigh ...

Github Repositories

Use at your own risk CVE-2021-33896 Exploit Windows Binary PoC /CVE-2021-33896exe will run the exploit /CVE-2021-33896exe Target IP /CVE-2021-33896exe wwwexamplecom Running the exploit on Linux Change the target IP in CVE-2021-33896sh then do: chmod +x CVE-2021-33896sh /CVE-2021-33896sh Target IP /CVE-2021-33896sh wwwexam