garatc

## gist:d86cdb1fa2e35a7ee719d9a0de0b5ca3
A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary files via a /management/users/register request.
A patch was published in 2019 for this vulnerability but did not appear to have solved the issue. This year's fix is however efficient in removing the flaw.

Vulnerable product: Gravitee API Management
Affected version: < 3.15.13
Fixed version: 3.15.13

References:
https://github.com/gravitee-io/gravitee-api-management
2019 vulnerability: https://github.com/advisories/GHSA-xc4w-28g8-vqm5
	A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary files via a /management/users/register request.
	A patch was published in 2019 for this vulnerability but did not appear to have solved the issue. This year's fix is however efficient in removing the flaw.

	Vulnerable product: Gravitee API Management
	Affected version: < 3.15.13
	Fixed version: 3.15.13

	References:
	https://github.com/gravitee-io/gravitee-api-management
	2019 vulnerability: https://github.com/advisories/GHSA-xc4w-28g8-vqm5