CVE-2018-13980

MEDIUM NUCLEI

Zeta Producer < 14.2.1 - Unauthenticated Path Traversal and File Disclosure via Filebrowser Plugin

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-13980. PoCs published by SEC Consult. A Nuclei detection template is also available.

AI-analyzed exploit summary The advisory details two vulnerabilities in Zeta Producer Desktop CMS: a remote code execution flaw via unrestricted file uploads (CVE-2018-13981) and a local file disclosure via path traversal (CVE-2018-13980). It includes technical analysis, affected files, and proof-of-concept descriptions but omits the actual exploit code.

Description

The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.

Exploits (1)

exploitdb WRITEUP

by SEC Consult · textwebappsphp

https://www.exploit-db.com/exploits/45016

View Code ZIP pw:eip

The advisory details two vulnerabilities in Zeta Producer Desktop CMS: a remote code execution flaw via unrestricted file uploads (CVE-2018-13981) and a local file disclosure via path traversal (CVE-2018-13980). It includes technical analysis, affected files, and proof-of-concept descriptions but omits the actual exploit code.

Classification

Writeup 100%

Attack Type

Rce | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Zeta Producer Desktop CMS <=14.2.0

No auth needed

Prerequisites: Target running Zeta Producer Desktop CMS with vulnerable widgets enabled · Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion

MEDIUMby wisnupramoedya

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html

Exploit, Third Party Advisory x_refsource_misc

https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45016/

Scores

CVSS v3 5.5

EPSS 0.0690

EPSS Percentile 93.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

zeta-producer/zeta_producer < 14.2.1

Published Jul 16, 2018

Tracked Since Feb 18, 2026