CVE-2024-46446
CRITICALMecha CMS 3.0.0 - Path Traversal and Arbitrary File Deletion via Cookie and URI Manipulation
Title source: llmDescription
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover.
References (2)
Core 2
Core References
Broken Link
http://mecha-cmscom.com
Exploit, Third Party Advisory
https://github.com/Sp1d3rL1/Mecha-cms-Arbitrary-File-Deletion-Vulnerability
Scores
CVSS v3
9.8
EPSS
0.0140
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
mecha-cms/mecha
3.0.0
Published
Oct 07, 2024
Tracked Since
Feb 18, 2026