CVE-2021-41950
CRITICALResourceSpace 9.6 - Unauthenticated Path Traversal and Arbitrary File Deletion via Tiles Endpoint
Title source: llmDescription
A directory traversal issue in ResourceSpace 9.6 before 9.6 rev 18277 allows remote unauthenticated attackers to delete arbitrary files on the ResourceSpace server via the provider and variant parameters in pages/ajax/tiles.php. Attackers can delete configuration or source code files, causing the application to become unavailable to all users.
References (2)
Core 2
Core References
Broken Link, Vendor Advisory x_refsource_misc
http://svn.resourcespace.com/svn/rs/releases/9.6/pages/ajax/tiles.php
Exploit, Third Party Advisory x_refsource_misc
https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
Scores
CVSS v3
9.1
EPSS
0.7486
EPSS Percentile
99.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
montala/resourcespace
9.6
Published
Nov 15, 2021
Tracked Since
Feb 18, 2026