PT-2018-19074 · Gxlcms · Gxlcms Qy
Published
2018-04-08
·
Updated
2018-05-14
·
CVE-2018-9850
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Gxlcms QY version 1.0.0713
Description
The issue allows remote attackers to delete any file via directory traversal sequences in the
id parameter of an "Admin-Data-del" request. This is due to a vulnerability in the LibLibActionAdminDataAction.class.php file.Recommendations
For version 1.0.0713, consider restricting access to the
DataAction.class.php file or the "Admin-Data-del" request to minimize the risk of exploitation. Avoid using the id parameter in the affected request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gxlcms Qy