CVE-2025-1335

Name of the Vulnerable Software and Affected Versions: CmsEasy version 7.7.7.9

Description: A vulnerability was found in the function deleteimg action in the library lib/admin/file admin.php. The manipulation of the argument imgname leads to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations: For CmsEasy version 7.7.7.9, as a temporary workaround, consider disabling the deleteimg action function until a patch is available. Restrict access to the lib/admin/file admin.php library to minimize the risk of exploitation. Avoid using the argument imgname in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.