CVE-2024-11992

Name of the Vulnerable Software and Affected Versions Quick.CMS version 6.7

Description The issue is an absolute path traversal vulnerability that could allow remote users to bypass intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server. This is achieved via the aDirFiles%5B0%5D parameter in the "admin.php" page. The vulnerability also allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.

Recommendations For Quick.CMS version 6.7, patch immediately to fix the path traversal flaw in admin.php. Additionally, audit logs for signs of exploit to ensure no unauthorized access or file deletion has occurred. As a temporary workaround, consider restricting access to the aDirFiles%5B0%5D parameter in the admin.php page to minimize the risk of exploitation.