GHSA-cfqx-f43m-vfh7: 
JavaScript vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in @saltcorn/server versions up to 1.0.0-beta.13, tracked as GHSA-cfqx-f43m-vfh7. The vulnerability allows users with admin permissions to read arbitrary file and directory names on the filesystem by exploiting an improperly validated builddirname parameter in the admin/build-mobile-app/result endpoint (GitHub Advisory).

The vulnerability exists in the /build-mobile-app/result endpoint where the builddirname parameter from the query string is not properly validated before being used to construct the buildDir path. This path is then used in a readdirSync() call, allowing directory traversal through path manipulation. The vulnerability has been assigned a CVSS v3.1 score of 4.9 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, high privileges required, and potential for high confidentiality impact (GitHub Advisory).

The vulnerability results in information disclosure, allowing authenticated administrators to view arbitrary file and directory names on the filesystem. However, the impact is limited as it only allows viewing file and directory names without the ability to download or access the actual content of the files (GitHub Advisory).

The vulnerability has been patched in version 1.0.0-beta.14. The fix involves resolving the buildDir path and validating that it starts with ${rootFolder.location}/mobile_app before processing the request. Users should upgrade to version 1.0.0-beta.14 or later to address this vulnerability (GitHub Advisory, Saltcorn Commit).