CVE-2022-4982
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dbltek | goip-1 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a local file inclusion issue in DBLTek GoIP-1 firmware versions up to and including GHSFVT-1.1-67-5. The device's web server has handlers that accept path parameters which are not properly validated or canonicalized. An attacker can exploit this by supplying directory-traversal sequences to make the server read and return arbitrary files from the filesystem that the webserver user can access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read arbitrary files on the device's filesystem that the webserver user has access to. This could lead to exposure of sensitive information stored on the device, potentially compromising the security and privacy of the system.