PT-2022-12541 · Mingfei · Mingfei Content Management System+1

N1Eco

Published

2022-02-18

Updated

2022-02-25

CVE-2021-46062

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Mingfei Content Management System (MCMS) versions prior to 5.2.11 net.mingsoft:ms-basic versions prior to 2.1.16

Description The issue allows for arbitrary file deletion. This can be achieved via the oldFileName parameter in POST requests to the "/template/writeFileContent" API endpoint.

Recommendations For net.mingsoft:ms-basic versions prior to 2.1.16, update to version 2.1.16 or later. For MCMS versions prior to 5.2.11, update to version 5.2.11 or later. As a temporary workaround, consider restricting access to the "/template/writeFileContent" API endpoint to minimize the risk of exploitation. Avoid using the oldFileName parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-46062

GHSA-RPVR-MW7R-25XX

Affected Products

Mingfei Content Management System

Net.Mingsoft:Ms-Basic

PT-2022-12541 · Mingfei · Mingfei Content Management System+1

CVE-2021-46062

Weakness Enumeration

Related Identifiers

Affected Products

References · 4