CVE-2024-11992

CRITICAL

Quick.CMS 6.7 - Path Traversal and Arbitrary File Deletion via aDirFiles Parameter

Title source: llm

Description

Absolute path traversal vulnerability in Quick.CMS, version 6.7, the exploitation of which could allow remote users to bypass the intended restrictions and download any file if it has the appropriate permissions outside of documentroot configured on the server via the aDirFiles%5B0%5D parameter in the admin.php page. This vulnerability allows an attacker to delete files stored on the server due to a lack of proper verification of user-supplied input.

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms

Scores

CVSS v3 9.1

EPSS 0.0080

EPSS Percentile 51.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

Quick.CMS/Quick.CMS 6.7

Published Nov 29, 2024

Tracked Since Feb 18, 2026