Description
CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/cskaza/cszcms/issues/32
Scores
CVSS v3
9.1
EPSS
0.0128
EPSS Percentile
66.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-706
Status
published
Products (1)
cszcms/csz_cms
1.2.9
Published
Jul 30, 2021
Tracked Since
Feb 18, 2026