This impacts users which use multiple unconstrained route parameters not separated by a /. For instance, the following code is vulnerable: var route = new DotvvmRoute("edit/{a}-{b}-{c}/done", null, "testpage", null, null, configuration); var adversarialInput = "edit/" + new string('-', 32000); route.IsMatch(adversarialInput, out _);
All users of DotVVM with configured file upload storage are affected. DotVVM allows anyone to upload files to the application, potentially causing denial of service by filling the disk.
All users of the AuthorizeActionFilter class are affected. The AuthorizeActionFilter simply does nothing, no “hacking” is needed to bypass the filter.
There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the FileResourceLocation has been added. The vulnerability allows an attacker to read arbitrary files from the filesystem accessible by the web application (i.e. appsettings.json or other files containing secrets).