PT-2021-20386 · Laiketui · Laiketui

Viivyao

Published

2021-06-15

Updated

2021-06-21

CVE-2021-34129

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions: LaikeTui version 3.5.0

Description: The issue allows remote authenticated users to delete arbitrary files. This can be achieved through directory traversal in the uploadImg, oldpic, or imgurl parameter, as demonstrated by deleting install.lock to enable reinstallation of the product in a manner controlled by the attacker.

Recommendations: For LaikeTui version 3.5.0, consider restricting access to the uploadImg, oldpic, and imgurl parameters to prevent directory traversal attacks until a patch is available. As a temporary workaround, limit the ability of authenticated users to delete files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-34129

Affected Products

Laiketui

PT-2021-20386 · Laiketui · Laiketui

CVE-2021-34129

Weakness Enumeration

Related Identifiers

Affected Products

References · 3