| Title | e107cms 2.3.3 Arbitrary File Deletion Vulnerability |
|---|
| Description | This e107CMS (≤2.3.3) vulnerability in the Media Manager’s Avatars feature (e107_admin/image.php) allows an authenticated user to delete arbitrary files by sending crafted multiaction[] parameters. Because the application does not sufficiently validate and canonicalize file paths, delete operations can affect files outside the intended media directory, risking data loss and service disruption. Recommended mitigations: strictly validate and canonicalize input paths, restrict deletions to a whitelist of allowed files or directories, and confine file operations to a controlled media-only directory. |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/igdVbDCk2IkD |
|---|
| User | angelkat (UID 64410) |
|---|
| Submission | 10/09/2025 08:31 (8 months ago) |
|---|
| Moderation | 10/18/2025 23:46 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329020 [e107 CMS up to 2.3.3 Avatar image.php?mode=main&action=avatar multiaction[] path traversal] |
|---|
| Points | 20 |
|---|