A vulnerability has been found in OFCMS up to 1.1.2 and classified as critical. This vulnerability affects the function getTemplates of the file admin/cms/template/getTemplates.html?res_path=res&up_dir=../. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.

The bug was discovered 03/06/2019. The weakness was shared 03/06/2019. This vulnerability was named CVE-2019-9610 since 03/06/2019. The exploitation appears to be easy. The attack can be initiated remotely. The successful exploitation requires a single authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1006.

Upgrading to version 1.1.3 eliminates this vulnerability.

The entries VDB-131408, VDB-131407, VDB-131406 and VDB-131405 are related to this item.

Productinfo

Name

• OFCMS

Version

• 1.1.0
• 1.1.1
• 1.1.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion