Absolute Path Traversal Vulnerability Allows Unrestricted File Access
CVE-2024-11992

9.1CRITICAL

Key Information:

Vendor

Quick.cms

Status
Vendor
CVE Published:
29 November 2024

What is CVE-2024-11992?

An absolute path traversal vulnerability has been identified in Quick.CMS version 6.7, enabling remote users to bypass intended security measures. The exploitation occurs through the aDirFiles%5B0%5D parameter within the admin.php page, allowing unauthorized access to files outside the configured document root of the server. This vulnerability can lead to the download of sensitive files and potentially enable attackers to delete files due to insufficient validation of user-supplied input. Organizations using the affected version are urged to implement security measures promptly.

Affected Version(s)

Quick.CMS 6.7

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rafael Pedrero
.