Soumettre #845906: kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Path Traversalinformation

Titrekirilkirkov Ecommerce-CodeIgniter-Bootstrap master Path Traversal
Description## Description Ecommerce-CodeIgniter-Bootstrap contains a path traversal vulnerability in vendor multi-image endpoints. The affected handlers trust the user-controlled `folder` parameter and concatenate it directly into filesystem paths under `attachments/shop_images/`. Because the application did not canonicalize the target path or enforce a base directory boundary, an attacker able to reach the vendor image endpoints could traverse outside the intended product image directory. The vulnerable behavior allowed directory creation, image upload, and file deletion in unintended writable locations. ## Technical Details - Affected component: `application/modules/vendor/controllers/AddProduct.php` - Vulnerable parameter: `folder` - Impacted operations: directory creation, multi-image upload, and image deletion outside the intended shop image directory - Weakness: `CWE-22` - CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` - Severity: `Critical` - Published: `2026-05-20` - Patched version / fix commit: `2a9497ff11f36e573ad99e1c357ff0e6ded49745` - GitHub Security Advisory: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-6whv-r5hm-vcjr - Vendor fix: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/2a9497ff11f36e573ad99e1c357ff0e6ded49745
La source⚠️ https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-6whv-r5hm-vcjr
Utilisateur
 Anonymous User
Soumission02/06/2026 10:11 (il y a 1 mois)
Modérer03/07/2026 19:24 (1 month later)
StatutAccepté
Entrée VulDB376150 [kirilkirkov Ecommerce-CodeIgniter-Bootstrap Vendor Multi-Image Endpoint AddProduct.php folder directory traversal]
Points20

Want to know what is going to be exploited?

We predict KEV entries!