CVE-2019-9610

Name of the Vulnerable Software and Affected Versions OFCMS versions prior to 1.1.3

Description An issue was discovered related to directory traversal. This issue is connected to the getTemplates function in TemplateController.java and can be exploited through the "/admin/cms/template/getTemplates.html" API endpoint with specific parameters such as res path and up dir.

Recommendations For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the getTemplates function in TemplateController.java to minimize the risk of exploitation. Avoid using the res path and up dir parameters in the affected API endpoint until the issue is resolved.