An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-12-13T08:00:00

Updated: 2024-08-05T11:51:19.146Z

Reserved: 2018-12-13T00:00:00

Link: CVE-2018-20127

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-12-13T08:29:00.250

Modified: 2024-11-21T04:00:54.710

Link: CVE-2018-20127

cve-icon Redhat

No data.