PT-2018-11237 · Metinfo · Metinfo
Published
2018-06-18
·
Updated
2020-08-24
·
CVE-2018-12530
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
MetInfo version 6.0.0
Description
An issue was discovered that allows remote attackers to delete arbitrary files via a directory traversal in the
admin/app/batch/csvup.php endpoint. This can be exploited via CSRF, using the flienamecsv parameter.Recommendations
For MetInfo version 6.0.0, consider restricting access to the
admin/app/batch/csvup.php endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the flienamecsv parameter in this endpoint until the issue is resolved.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metinfo