Absolute Path Traversal Vulnerability Allows Unrestricted File Access
CVE-2024-11992
9.1CRITICAL
Key Information
- Vendor
- Quick.cms
- Status
- Quick.cms
- Vendor
- CVE Published:
- 29 November 2024
Summary
Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.
Affected Version(s)
Quick.CMS = 6.7
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Rafael Pedrero