Absolute Path Traversal Vulnerability Allows Unrestricted File Access

CVE-2024-11992

9.1CRITICAL

Key Information

Vendor: Quick.cms
Status: Quick.cms
Vendor: CVE Published:; 29 November 2024

Summary

Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.

Affected Version(s)

Quick.CMS = 6.7

References

https://www.incibe.es/en/incibe-cert/notices/aviso/path-t...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Nov 29, 2024

Collectors

NVD DatabaseMitre Database

Credit

Rafael Pedrero