CVE-2019-8411

Name of the Vulnerable Software and Affected Versions zzcms version 2018

Description The issue allows remote attackers to delete arbitrary files via a directory traversal attack. This is achieved by exploiting the action and filename parameters in the admin/dl data.php file. Specifically, the filename parameter is vulnerable to directory traversal attacks, allowing an attacker to access and delete files outside of the intended directory.

Recommendations For zzcms version 2018, restrict access to the admin/dl data.php file to minimize the risk of exploitation. As a temporary workaround, consider disabling the file deletion functionality in this file until a patch is available. Avoid using the filename parameter in the admin/dl data.php file with untrusted input until the issue is resolved.