CVE-2008-2863

Name of the Vulnerable Software and Affected Versions eLineStudio Site Composer (ESC) version 2.6

Description The issue allows remote attackers to create or delete arbitrary directories due to absolute path traversal vulnerabilities. This can be achieved by providing a full pathname in the inpCurrFolder parameter to specific API endpoints, such as "/cms/assetmanager/folderdel .asp" or "/cms/assetmanager/foldernew.asp".

Recommendations For version 2.6, avoid using the inpCurrFolder parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to the "/cms/assetmanager/folderdel .asp" and "/cms/assetmanager/foldernew.asp" endpoints to minimize the risk of exploitation.