CVE-2014-1836

Name of the Vulnerable Software and Affected Versions ImpressCMS versions prior to 1.3.6

Description The issue allows remote attackers to delete arbitrary files via a full pathname in the image path parameter in a cancel action. This is due to an absolute path traversal vulnerability in the htdocs/libraries/image-editor/image-edit.php file.

Recommendations For ImpressCMS versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the htdocs/libraries/image-editor/image-edit.php file until a patch is available. Avoid using the image path parameter in the affected cancel action until the issue is resolved.