CVE-2019-7403

Name of the Vulnerable Software and Affected Versions PHPMyWind version 5.5

Description An issue in PHPMyWind allows remote attackers to delete arbitrary folders. This is achieved through the "admin/database backup.php" API endpoint with specific parameters, including action=import, dopost=deldir, and tbname=../.

Recommendations For PHPMyWind version 5.5, as a temporary workaround, consider restricting access to the "admin/database backup.php" API endpoint until a patch is available. Avoid using the tbname parameter with relative paths (e.g., ../) in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.