Absolute Path Traversal Vulnerability Allows Unrestricted File Access
CVE-2024-11992

9.1CRITICAL

Key Information:

Vendor: Quick.cms
Status: Quick.cms
Vendor: CVE Published:; 29 November 2024

What is CVE-2024-11992?

An absolute path traversal vulnerability has been identified in Quick.CMS version 6.7, enabling remote users to bypass intended security measures. The exploitation occurs through the aDirFiles%5B0%5D parameter within the admin.php page, allowing unauthorized access to files outside the configured document root of the server. This vulnerability can lead to the download of sensitive files and potentially enable attackers to delete files due to insufficient validation of user-supplied input. Organizations using the affected version are urged to implement security measures promptly.

Affected Version(s)

Quick.CMS 6.7

References

https://www.incibe.es/en/incibe-cert/notices/aviso/path-t...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Nov 29, 2024

Credit

Rafael Pedrero

Quick.cms

What is CVE-2024-11992?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit