CVE-2012-6064
CMS Made Simple < 1.11.2.1 - Authenticated Path Traversal via deld Parameter
Title source: llmDescription
Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files.
References (7)
Core 7
Core References
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html
Vendor Advisory x_refsource_misc
https://www.htbridge.com/advisory/HTB23121
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51185
Various Sources x_refsource_confirm
http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79881
Various Sources x_refsource_confirm
http://viewsvn.cmsmadesimple.org/diff.php?repname=cmsmadesimple&path=%2Ftrunk%2Flib%2Ffilemanager%2FImageManager%2FClasses%2FImageManager.php&rev=8400&peg=8498
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html
Scores
EPSS
0.0090
EPSS Percentile
76.0%
Details
CWE
CWE-22
Status
published
Products (50)
cmsmadesimple/cms_made_simple
0.1
cmsmadesimple/cms_made_simple
0.2
cmsmadesimple/cms_made_simple
0.2.1
cmsmadesimple/cms_made_simple
0.3
cmsmadesimple/cms_made_simple
0.3.1
cmsmadesimple/cms_made_simple
0.3.2
cmsmadesimple/cms_made_simple
0.4
cmsmadesimple/cms_made_simple
0.4.1
cmsmadesimple/cms_made_simple
0.5
cmsmadesimple/cms_made_simple
0.5.1
... and 40 more
Published
Dec 03, 2012
Tracked Since
Feb 18, 2026