{"id":"CVE-2019-13343","details":"Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename.","modified":"2026-04-11T08:05:39.040088Z","published":"2019-10-02T16:15:14.227Z","references":[{"type":"ADVISORY","url":"https://bitbucket.org/account/user/butor-team/projects/PROJ"},{"type":"ADVISORY","url":"https://bitbucket.org/butor-team/portal/commits/all"},{"type":"FIX","url":"https://bitbucket.org/butor-team/portal/commits/cd7055d33e194fcf530100ee1d8d13aa9cde230b"},{"type":"EVIDENCE","url":"https://bitbucket.org/butor-team/portal/src/cd7055d33e194fcf530100ee1d8d13aa9cde230b/src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java?at=master"},{"type":"EVIDENCE","url":"https://www.gosecure.net/blog/2019/09/30/butor-portal-arbitrary-file-download-vulnerability-cve-2019-13343"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/butor-team/portal","events":[{"introduced":"0"},{"fixed":"cd7055d33e194fcf530100ee1d8d13aa9cde230b"}]},{"type":"GIT","repo":"https://bitbucket.org/butor-team/portal","events":[{"introduced":"0"},{"fixed":"cd7055d33e194fcf530100ee1d8d13aa9cde230b"}]}],"versions":["v1.0.12","v1.0.13","v1.0.14","v1.0.16","v1.0.17","v1.0.18","v1.0.19","v1.0.22","v1.0.23","v1.0.24","v1.0.25","v1.0.3","v1.0.5","v1.0.6","v1.0.7","v1.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13343.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.0.27"}]},{"events":[{"introduced":"0"},{"fixed":"1.0.27"}]}],"vanir_signatures":[{"id":"CVE-2019-13343-3002fc52","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["258212608843229262247361505895702871892","178147678383434021193724111240360665528","298303949428613447334701423945072506860","230145181926896130479237155499623611097","218106648773736913122202914461757495194","157252327876678578555298930454655562804","315154663657932694346084968733643448105","137450595319267565534451463980117174848"]},"target":{"file":"src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java"},"source":"https://bitbucket.org/butor-team/portal@cd7055d33e194fcf530100ee1d8d13aa9cde230b","deprecated":false,"signature_type":"Line"},{"id":"CVE-2019-13343-5450f3f6","signature_version":"v1","digest":{"length":2604,"function_hash":"274076426177737951096722083256556587546"},"target":{"function":"service","file":"src/main/java/com/butor/portal/web/servlet/WhiteLabelingServlet.java"},"source":"https://bitbucket.org/butor-team/portal@cd7055d33e194fcf530100ee1d8d13aa9cde230b","deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T08:05:39Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}