cvedb.io
CVE-2021-41242
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2021-12-10T23:15:09.527 · Last modified 2026-06-17T04:08:09.473

Summary

OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enable

Affected products

frentix — openolat

Does this affect you?

Add your gear to cvedb and we'll alert you only when frentix ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.