PT-2018-14854 · Xiaocms · Xiaocms

Publicado

2018-11-12

·

Atualizado

2018-12-13

·

CVE-2018-19194

CVSS v3.1

5.3

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions XiaoCms version 20141229
Description An issue in XiaoCms allows full path disclosure through the "/admin/index.php?c=database" API endpoint, which returns a "failed to open stream" error message.
Recommendations For XiaoCms version 20141229, consider restricting access to the "/admin/index.php?c=database" API endpoint until a fix is available. As a temporary workaround, avoid using the c parameter in the affected API endpoint to minimize the risk of exploitation.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2018-19194

Produtos afetados

Xiaocms