CVE-2023-3239

Name of the Vulnerable Software and Affected Versions OTCMS versions up to 6.62

Description A problematic issue was found in OTCMS. It affects an unknown function of the file admin/readDeal.php, specifically the API endpoint "admin/readDeal.php?mudi=readQrCode". The manipulation of the img argument leads to path traversal, allowing access to '../filedir'. The issue has been publicly disclosed.

Recommendations For OTCMS versions up to 6.62, as a temporary workaround, consider restricting access to the admin/readDeal.php?mudi=readQrCode endpoint to minimize the risk of exploitation. Avoid using the img argument in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.