EUVD-2025-19221
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho allows Path Traversal. This issue affects Litho: from n/a through 3.0.
Analysis
Path traversal vulnerability in themezaa Litho that allows unauthenticated network attackers to cause a denial of service by accessing files outside the intended directory structure. Affected versions range from an unspecified baseline through version 3.0 of the Litho product. The vulnerability has a high CVSS score of 8.6 with a network attack vector and no authentication requirements, making it easily exploitable by remote attackers.
Technical Context
The vulnerability stems from improper input validation in pathname handling (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Litho, a theming or template engine developed by themezaa, fails to adequately sanitize user-supplied input when constructing file paths, allowing directory traversal sequences (such as '../' or absolute paths) to escape the intended restricted directory. This path traversal enables attackers to read, access, or interact with arbitrary files on the system that the Litho application has permissions to access. The attack surface is web-exposed due to the Network attack vector (AV:N) classification, suggesting this is a web application or service component vulnerable via HTTP/HTTPS requests.
Affected Products
Litho (versions from an unspecified baseline through version 3.0 (inclusive))
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today