Relative path traversal in Aqua eSolutions

Posted date 17/07/2023
5 - Critical
Affected Resources

Aqua Drive, version 2.4.


INCIBE has coordinated the publication of a vulnerability affecting Aqua Drive,  which has been discovered by Ander Martínez (Titanium Industrial Security).

The following code has been assigned to this vulnerability:


  • CVSS v3.1 base score: 9.9.
  • CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Vulnerability type: CWE-23: Relative Path Traversal.

Update to version 2.5.


CVE-2023-3701: Aqua Drive is vulnerable to a relative path traversal vulnerability. By exploiting this vulnerability, an authenticated non privileged user could access/modify stored resources of other users. It could also be possible to access and modify the source and configuration files of the cloud disk platform, affecting the integrity and availability of the entire platform.