TLDR: It is frightening, a patch was made available the same day it was disclosed and everybody should update their servers. 


Butor Portal is affected by a Path Traversal vulnerability leading to pre-authentication arbitrary file downloads. Every file that can be read by the local user running the Butor Portal Web service could be exfiltrated by an anonymous attacker.

With the ability of reading most files on a server, an unauthenticated attacker could not only fully compromise the Butor application, but also the underlying infrastructure such as the database or the LDAP server using credentials stored in plain text in configuration files.

Exploitation of this vulnerability does not require advanced skill and can be automated.