{"id":"CVE-2022-39812","details":"Italtel NetMatch-S CI 5.2.0-20211008 allows Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An unauthenticated user can upload files to an arbitrary path. An attacker can change the uploadDir parameter in a POST request (not possible using the GUI) to an arbitrary directory. Because the application does not check in which directory a file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.","modified":"2026-03-14T11:52:32.061956Z","published":"2023-01-27T22:15:08.407Z","references":[{"type":"EVIDENCE","url":"https://www.gruppotim.it/it/footer/red-team.html"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39812.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"5.2.0-20211008"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}