CVE-2018-13980

Name of the Vulnerable Software and Affected Versions Zeta Producer Desktop CMS versions prior to 14.2.1

Description The issue allows for unauthenticated file disclosure when the filebrowser plugin is installed. This is due to a directory traversal vulnerability in the assets/php/filebrowser/filebrowser.main.php endpoint, specifically when the file parameter is manipulated with ../ sequences.

Recommendations For versions prior to 14.2.1, update to version 14.2.1 or later to resolve the issue. As a temporary workaround, consider uninstalling or disabling the filebrowser plugin until the update can be applied. Restrict access to the assets/php/filebrowser/filebrowser.main.php endpoint to minimize the risk of exploitation. Avoid using the file parameter in this endpoint until the issue is resolved.