CVE-2019-8412

Name of the Vulnerable Software and Affected Versions FeiFeiCms version 4.0.181010

Description The issue allows remote attackers to read or delete arbitrary files due to a directory traversal vulnerability. This can be exploited via specific API endpoints, such as "index.php?s=Admin-Data-Down-id-.." or "index.php?s=Admin-Data-Del-id-..".

Recommendations For FeiFeiCms version 4.0.181010, consider restricting access to the index.php endpoint with s=Admin-Data-Down-id- or s=Admin-Data-Del-id- parameters to minimize the risk of exploitation. As a temporary workaround, disable the Admin-Data-Down and Admin-Data-Del functionalities until a patch is available.