CVE-2018-19197

Name of the Vulnerable Software and Affected Versions XiaoCms version 20141229

Description An issue was discovered that allows arbitrary directory deletion via directory traversal in the admin/index.php endpoint, specifically through the paths[] variable. This is possible due to a lack of proper validation in the database.php file within the admin/controller directory.

Recommendations For XiaoCms version 20141229, as a temporary workaround, consider restricting access to the admin/index.php endpoint, specifically to the import action, to minimize the risk of exploitation. Additionally, avoid using the paths[] variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.