CVE-2018-9850

Name of the Vulnerable Software and Affected Versions Gxlcms QY version 1.0.0713

Description The issue allows remote attackers to delete any file via directory traversal sequences in the id parameter of an "Admin-Data-del" request. This is due to a vulnerability in the LibLibActionAdminDataAction.class.php file.

Recommendations For version 1.0.0713, consider restricting access to the DataAction.class.php file or the "Admin-Data-del" request to minimize the risk of exploitation. Avoid using the id parameter in the affected request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.