An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal in the path parameter.
The vulnerability occurs in the isCompleted method handled by the Virto.SharePoint.FileDownloader/Api/Download.ashx endpoint. An attacker can pass an absolute file path in the path parameter, thereby bypassing mechanisms that restrict access to the designated directory. The lack of proper validation and sanitization of the path parameter allows reading or deleting files outside the intended scope of the application.
An unauthenticated attacker can download any file available on the server (including configuration files, user data, application secrets) or permanently delete it, which may lead to sensitive data leakage and system disruption.
Patches available from the vendor should be applied according to references. It is recommended to check VirtoSoftware documentation (docs.virtosoftware.com) for updated software versions and implement vendor security recommendations. Until the update is applied, consider restricting network access to the Download.ashx endpoint at the firewall or reverse proxy level.
VirtoSoftware Virto Bulk File Download version 5.5.44 running on Microsoft SharePoint Server 2019
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft SharePoint Server
APPMicrosoft2019Virtosoftware Sharepoint Bulk File Download
APPVirtosoftware5.5.44
Related vulnerabilities
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE przez deserialization w Microsoft SharePoint Server (on-premises)
Microsoft SharePoint Server Elevation of Privilege Vulnerability
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the sour...
Microsoft Word Remote Code Execution Vulnerability