GHSA-277h-px4m-62q8: 
JavaScript vulnerability analysis and mitigation

A vulnerability in @saltcorn/server npm package (GHSA-277h-px4m-62q8) allows users with admin permissions to read and download arbitrary zip files when downloading auto backups. The vulnerability affects versions <= 1.0.0-beta.13 and has been patched in version 1.0.0-beta.14. The issue stems from improper sanitization of file names used in the backup download functionality (GitHub Advisory).

The vulnerability exists in the auto-backup-download endpoint where the filename parameter is not properly sanitized before being passed to the res.download API. The application checks if the filename starts with a backupfileprefix and ends with '.zip', but fails to resolve the path before this check, allowing path traversal. This is tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability has a CVSS v3.1 score of 4.4 (Moderate) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows authenticated administrators to access and download arbitrary zip files from the system through path traversal, leading to potential information disclosure. The impact is limited to files with .zip extension but could expose sensitive information stored in zip format anywhere on the system (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-beta.14 by resolving the filename parameter before checking if it starts with backupfileprefix. Users should upgrade to this version or later to address the vulnerability. The fix involves using path.resolve() to properly handle the file path before validation (GitHub Commit).