CVE-2018-13122

Name of the Vulnerable Software and Affected Versions OneFileCMS versions prior to 2017-10-08

Description The issue allows attackers to delete arbitrary files via the Delete File(s) screen. This can be achieved by manipulating the URI, for example, by using a query string such as '?i=var/www/html/&f=123.php&p=edit&p=deletefile', which targets the 'onefilecms.php' file.

Recommendations For versions prior to 2017-10-08, as a temporary workaround, consider restricting access to the Delete File(s) screen until a fix is available. Avoid using the delete file functionality in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.