<p>In the same code snippet as described in <a href="https://github.com/opentechinstitute/commotion-apps/issues/11" class="issue-link" title="RCE in add local applications form ‘uuid’ parameter (Critical)">#11</a>, arbitrary file<br>
removal is possible:</p>

<p><a href="https://github.com/opentechinstitute/commotion-apps/blob/3bcf912eec5d3b7b0192cf4c21e334c6775ec482/lua/luci/controller/commotion/apps_controller.lua#L534-L543">https://github.com/opentechinstitute/commotion-apps/blob/3bcf912eec5d3b7b0192cf4c21e334c6775ec482/lua/luci/controller/commotion/apps_controller.lua#L534-L543</a></p>

<p>To exploit this vulnerability, attacker should set up a new application (unique name, ip address/port pair) and perform path traversal in uuid parameter to remove arbitrary file.</p>

<p>Originally reported as WRT-01-008</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href='https://github.com/opentechinstitute/commotion-apps/issues/13'>view it on GitHub</a>.<img src='https://github.com/notifications/beacon/HSS0tS4nfORw_XnPQF8f0WXFBhoH1AMryYIJl1TKVQbxhPatE0PQJdvdGQHVQYWc.gif' height='1' width='1'></p>