CVE-2023-23136 in lmxcms
Summary
by MITRE • 02/01/2023
lmxcms v1.41 was discovered to contain an arbitrary file deletion vulnerability via BackdbAction.class.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
The vulnerability identified as CVE-2023-23136 affects lmxcms version 1.41 and represents a critical arbitrary file deletion flaw within the BackdbAction.class.php component. This vulnerability allows authenticated attackers with administrative privileges to delete arbitrary files on the target system through improper input validation and inadequate access controls. The flaw stems from insufficient sanitization of user-supplied parameters that are directly used in file operations, creating a path for malicious file deletion commands to be executed with the privileges of the web application.
The technical implementation of this vulnerability occurs within the BackdbAction.class.php file where database backup and restoration functions are handled. When administrators perform backup operations through the web interface, the application fails to properly validate or sanitize the input parameters that specify which files should be processed. This lack of input validation creates a condition where an attacker can manipulate the file path or name parameters to target any file within the application's directory structure. The vulnerability is classified as a CWE-22 weakness, specifically an Improper Limitation of a Pathname to a Restricted Directory, which is a well-documented path traversal vulnerability that can lead to arbitrary file operations.
The operational impact of this vulnerability is severe and potentially catastrophic for affected systems. An attacker who can authenticate to the administrative interface could leverage this flaw to delete critical system files, application binaries, configuration files, or even database files that would result in complete system compromise or denial of service. The vulnerability essentially grants an attacker the ability to perform destructive operations that could render the application unusable or allow for further system compromise. The risk is amplified because the vulnerability requires only administrative access, which suggests that the application's privilege management may be insufficient or that authentication mechanisms can be bypassed through other means.
From a cybersecurity perspective, this vulnerability aligns with several ATT&CK techniques including T1059 Command and Scripting Interpreter and T1485 Data Destruction, as it enables an attacker to execute destructive commands against the file system. The vulnerability also represents a failure in the principle of least privilege, as the administrative interface should not permit arbitrary file deletion operations without proper safeguards. Organizations using lmxcms v1.41 should immediately implement mitigations including applying the vendor-provided patch, implementing additional input validation layers, restricting administrative access through network segmentation, and conducting comprehensive file system audits to detect any unauthorized deletions. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in web applications, particularly those handling administrative functions.