Lowangrybrad

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.4 Craft CMS versions 5.0.0-RC1 through 5.9.10 **Description** Craft CMS is a content management system. The `AssetsController->replaceFile()` method uses the `targetFilename` body parameter without proper sanitization in a `deleteFile()` call before `Assets::prepareAssetName()` is applied during saving. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename. This could allow a user with `replaceFiles` permission on one volume to delete files in other folders or volumes sharing the same filesystem root. This issue only affects local filesystems. The vulnerable method is `AssetsController->replaceFile()`, and the vulnerable parameter is `targetFilename`. **Recommendations** Craft CMS versions 4.0.0-RC1 through 4.17.4 should be updated to version 4.17.5 or later. Craft CMS versions 5.0.0-RC1 through 5.9.10 should be updated to version 5.9.11 or later.