Vulnerability: Unauthorized Arbitrary File Read in lsFusion ≤ 6.1

**BUG_Author:** R1ckyZ

**Affected Version:** lsFusion ≤ 6.1

**Vendor:** [lsfusion GitHub Repository](https://github.com/lsfusion/platform)

**Software:** [lsfusion](https://github.com/lsfusion/platform)

**Vulnerability** **Files:**

- `web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java`

## Description:

The API `/file/static/noauth/**` is used to download logos and icons without authentication. The `handleRequest` method in `DownloadFileRequestHandler` supports a `version` parameter. While the `/**` path component is validated, if an attacker directly accesses `/file/static/noauth` (without a trailing path), the filename is derived solely from the unvalidated `version` parameter. The generated `fileName` is then directly appended to `FileUtils.APP_DOWNLOAD_FOLDER_PATH`, leading to arbitrary file read vulnerabilities.

<img width="1066" height="256" alt="Image" src="https://github.com/user-attachments/assets/2dc7bf7e-e093-48c9-b9e1-124ac0fa7e27" />

<img width="975" height="408" alt="Image" src="https://github.com/user-attachments/assets/c81255ac-6e05-4602-ab76-df96853cfea5" />

## Proof of Concept:

1. Requesting the API `/file/static/noauth` and passing a directory traversal payload to the **version** parameter.

<img width="1276" height="652" alt="Image" src="https://github.com/user-attachments/assets/33f912ca-a733-4edb-8717-f8457a323f9e" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability: Unauthorized Arbitrary File Read in lsFusion ≤ 6.1 #1543

Description:

Proof of Concept:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability: Unauthorized Arbitrary File Read in lsFusion ≤ 6.1 #1543

Description

Description:

Proof of Concept:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions