CVE-2018-19181

Name of the Vulnerable Software and Affected Versions YUNUCMS version 1.1.5

Description The issue allows for arbitrary file deletion. This can be achieved by exploiting the statics/ueditor/php/controller.php "action=remove" key parameter, where an attacker can use directory traversal to delete sensitive files, such as the install.lock file.

Recommendations For YUNUCMS version 1.1.5, consider restricting access to the statics/ueditor/php/controller.php endpoint to minimize the risk of exploitation. As a temporary workaround, limit the ability to perform the "remove" action to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.