Blackwolfsec

**Name of the Vulnerable Software and Affected Versions** b2evolution version 6.8.4-stable **Description** The issue allows an attacker to bypass a filter rule using `../`, enabling them to delete or read any files on the server, as well as determine whether a file exists. **Recommendations** For b2evolution version 6.8.4-stable, as a temporary workaround, consider restricting access to sensitive files and directories until a patch is available. Avoid using the `../` sequence in file paths to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** b2evolution versions prior to 6.8.4 **Description** A directory traversal issue exists, allowing remote authenticated users to read or delete arbitrary files. This is achieved by providing a .. (dot dot) in the `fm selected` array parameter in the inc/files/files.ctrl.php file, leveraging back-office access. **Recommendations** For versions prior to 6.8.4, update to version 6.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the back-office and limiting the use of the `fm selected` array parameter in the inc/files/files.ctrl.php file until a patch is available.