CVE-2014-1836
EPSS 18.5%ImpressCMS Path Traversal to Arbitrary File Delete
Published: 5/17/2022Modified: 11/8/2023
Description
Absolute path traversal vulnerability in `htdocs/libraries/image-editor/image-edit.php` in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the `image_path` parameter in a cancel action.
Affected packages (1)
- Packagist/impresscms/impresscmsfrom 0, < 1.3.6
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-1836
- WEBhttp://community.impresscms.org/modules/smartsection/item.php?itemid=675
- WEBhttp://seclists.org/fulldisclosure/2014/Feb/14
- WEBhttps://github.com/ImpressCMS/impresscms/issues/914
- WEBhttps://github.com/pedrib/PoC/blob/master/generic/impresscms-1.3.5.txt
- WEBhttps://web.archive.org/web/20200228234251/http://www.securityfocus.com/bid/65279