Описание
Grav CMS Arbitrary File Deletion
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)
Пакеты
Наименование
getgrav/grav
composer
Затронутые версииВерсия исправления
>= 1.7.0-beta.1, <= 1.7.0-rc.17
Отсутствует
Наименование
getgrav/grav
composer
Затронутые версииВерсия исправления
< 1.6.30
1.6.30
Связанные уязвимости
CVSS3: 8.1
nvd
почти 5 лет назад
The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)