An attacker can include file contents from outside the `/adapter/xxx/` directory, where `xxx` is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. **Note:** The attacker has to be logged in if the authentication is enabled (by default isn't enabled).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| iobroker.js-controller(npm) | 0 | 2.0.25 | N/A |
CVSS Metrics
