CVE-2024-11992 CRITICAL

CVE-2024-11992: Path traversal vulnerability in Quick.CMS

Vendor Quick.cms
Product Quick.CMS
Weakness CWE-22 · Path traversal
Published November 29, 2024
Last update November 29, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.

Key dates

02Disclosure timeline

November 29, 2024 CVE published
November 29, 2024 Record updated