Skip to content

Arbitrary Path Existence Disclosure in Resources Endpoint

Moderate
shamoon published GHSA-c4qv-fm8g-wm67 Aug 13, 2025

Package

homepage

Affected versions

<1.4.5

Patched versions

v1.4.5

Description

Summary

The "resources" widget, enabled by default in the configuration, contains an API endpoint /api/widgets/resources with the query parameter ?type=disk that is vulnerable to Arbitrary Path Existence Disclosure. An unauthenticated user can determine whether any file or directory exists on the server's filesystem. This information leak may aid further attacks.

Details

The endpoint /api/widgets/resources accepts requests with the query parameter ?type=disk&target=<path>. When the specified path exists, the server responds with disk information associated with that path. If the path does not exist, the server responds with:

{"error":"Target not found"}

This discrepancy in responses allows an attacker to probe the server and infer the existence of arbitrary files and directories anywhere in the filesystem.

PoC

  1. Send a request to the vulnerable endpoint for a known existing path:
GET /api/widgets/resources?type=disk&target=/etc/passwd

Response shows disk information.

  1. Send a request to the same endpoint for a non-existing path:
GET /api/widgets/resources?type=disk&target=/nonexistent/path

Response: {"error":"Target not found"}

Impact

This is an Arbitrary Path Existence Disclosure vulnerability. Any unauthenticated user can probe the filesystem and learn whether specific files or directories exist, which could facilitate targeted attacks, reconnaissance, or exploitation of other vulnerabilities.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

No known CVE

Weaknesses

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. Learn more on MITRE.

Credits