Absolute Path Traversal in ImpressCMS Allows File Deletion
CVE-2014-1836

Currently unrated

Key Information:

Vendor

Impresscms

Status
Impresscms
Vendor
CVE Published:
1 July 2015

What is CVE-2014-1836?

The vulnerability found in ImpressCMS versions prior to 1.3.6 allows remote attackers to exploit an absolute path traversal flaw in the image-edit.php file. By manipulating the image_path parameter during a cancel action, attackers can provide a full pathname that leads to arbitrary file deletion on the server. This poses a significant risk as it could allow malicious users to delete critical files, compromising the integrity and availability of the web application.

References

http://seclists.org/fulldisclosure/2014/Feb/14
mailing-listx_refsource_FULLDISC
http://community.impresscms.org/modules/smartsection/item...
x_refsource_CONFIRM
https://github.com/pedrib/PoC/blob/master/generic/impress...
x_refsource_MISC

EPSS Score

18% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.