CVE-2019-9662

Name of the Vulnerable Software and Affected Versions JTBC(PHP) version 3.0.1.8

Description A flaw was found in the cache management module, allowing an arbitrary file ending in "inc.php" to be deleted. This can be achieved by accessing the console/cache/manage.php endpoint with specific parameters, including type=action, action=batch, batch=delete, and ids=../ substring.

Recommendations For JTBC(PHP) version 3.0.1.8, as a temporary workaround, consider restricting access to the console/cache/manage.php endpoint to minimize the risk of exploitation. Avoid using the ids parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.