CVE-2017-16903

CRITICAL

LvyeCMS < 3.1 - Unauthenticated Path Traversal and Arbitrary PHP File Write via Template Style Add Request

Title source: llm
STIX 2.1

Description

LvyeCMS through 3.1 allows remote attackers to upload and execute arbitrary PHP code via directory traversal sequences in the dir parameter, in conjunction with PHP code in the content parameter, within a template Style add request to index.php.

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0205
EPSS Percentile 78.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
lvyecms_project/lvyecms < 3.1
Published Nov 20, 2017
Tracked Since Feb 18, 2026