CVE-2025-1336

Name of the Vulnerable Software and Affected Versions: CmsEasy version 7.7.7.9

Description: A vulnerability has been found in the function deleteimg action in the library lib/admin/image admin.php. The manipulation of the argument imgname leads to path traversal. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations: For CmsEasy version 7.7.7.9, as a temporary workaround, consider disabling the deleteimg action function until a patch is available. Restrict access to the lib/admin/image admin.php library to minimize the risk of exploitation. Avoid using the argument imgname in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.