Vulnerability Description: Arbitrary file read Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19992
CVSv3: 6.5
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be read. Thus, an attacker can manipulate the file name to access any sensitive file within the filesystem.