CVE-2024-11992
Path traversal vulnerability in Quick.CMS
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.1EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
29 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Quick.CMS · Quick.CMS