CVE-2019-19374

CRITICAL

Squiz Matrix CMS <5.5.0.3-5.5.3.3 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the server during interaction with the File Upload field type, when a custom form exists. (This is related to an information disclosure issue within the File Upload field type that allows users to view the full path to uploaded files, including the product's web root directory.)

References (4)

Core 4

Scores

CVSS v3 9.1
EPSS 0.0344
EPSS Percentile 87.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
squiz/matrix 5.5.0.0 - 5.5.0.3
Published Dec 11, 2019
Tracked Since Feb 18, 2026