fkie_cve-2024-11992
Vulnerability from fkie_nvd
Published
2024-11-29 13:15
Modified
2024-11-29 13:15
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.
References
cve-coordination@incibe.eshttps://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de recorrido de ruta absoluta en Quick.CMS, versi\u00f3n 6.7, cuya explotaci\u00f3n podr\u00eda permitir a usuarios remotos eludir las restricciones previstas y descargar cualquier archivo si tiene los permisos adecuados fuera de documentnanconfigurado en el servidor a trav\u00e9s del par\u00e1metro aDirFiles%5B0%5D en la p\u00e1gina admin.php. Esta vulnerabilidad permite a un atacante eliminar archivos almacenados en el servidor debido a la falta de una verificaci\u00f3n adecuada de la entrada proporcionada por el usuario."
    }
  ],
  "id": "CVE-2024-11992",
  "lastModified": "2024-11-29T13:15:05.210",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "cve-coordination@incibe.es",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-29T13:15:05.210",
  "references": [
    {
      "source": "cve-coordination@incibe.es",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms"
    }
  ],
  "sourceIdentifier": "cve-coordination@incibe.es",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "cve-coordination@incibe.es",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.