Submit #624972: Vvveb 1.0.5 Internal File Readinfo

TitleVvveb 1.0.5 Internal File Read
DescriptionDescription The endpoint at [/vadmin123/index.php?module=editor/editor&url=/&template=index.html] is vulnerable to file read. The vulnerability allows you to read old Vvveb files that were previously being used by an older Vvveb version. Its current severity is low because I wasn't able to read sensitive files. Reproduce Login as an editor or any user with access to “Edit website” functionality. Open the following endpoint: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=/&template=index.html Change the path to this: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=index.html This will allow you to open files located at the following server path: /var/www/html/public/admin/default I found this file by searching for a keyword I had found on index.html [editor/editor&url=index.html]: find . -type f -exec grep -l 'Vvveb 0.2 is now available!' {} + This directly contains the following files: /var/www/html/public/admin/default # ls -la total 448 drwx-wx-wx 22 www-data www-data 4096 Jan 3 14:56 . drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:57 .. -rwx-wx-wx 1 www-data www-data 10173 Jan 3 14:56 LICENSE -rwx-wx-wx 1 www-data www-data 5378 Jan 3 14:56 README.md drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 admin drwx-wx-wx 3 www-data www-data 4096 Jan 3 14:56 content drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 css drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 editor drwx-wx-wx 4 www-data www-data 4096 Jan 3 14:56 email -rwx-wx-wx 1 www-data www-data 73835 Jan 3 14:56 error403.html -rwx-wx-wx 1 www-data www-data 73408 Jan 3 14:56 error404.html -rwx-wx-wx 1 www-data www-data 74142 Jan 3 14:56 error500.html -rwx-wx-wx 1 www-data www-data 3150 Jan 3 14:56 favicon.ico drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 field drwx-wx-wx 2 www-data www-data 4096 Jan 3 14:56 fields You can open files for reading. I was able to read package.json: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=package.json Some old files like systeminfo.html may provide information about old configuration used by the web app: http://127.0.0.1/vadmin123/index.php?module=editor/editor&url=tools/systeminfo.html
Source⚠️ https://hkohi.ca/vulnerability/10
User
 0xHamy (UID 88518)
Submission07/29/2025 20:21 (9 months ago)
Moderation08/04/2025 08:27 (6 days later)
StatusAccepted
VulDB entry318645 [givanz Vvveb up to 1.0.5 Drag-and-Drop Editor editor url information disclosure]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!