Lucene search

[email protected]CVE-2019-5887

HistoryJan 10, 2019 - 2:29 p.m.

CVE-2019-5887

2019-01-1014:29:00

CWE-22

[email protected]

web.nvd.nist.gov

cve-2019-5887

shopxo

fileutil.php

directory traversal

input mishandling

arbitrary files

security vulnerability

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

43.7%

JSON

An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of the FileUtil.php file, the input parameters are not checked, resulting in input mishandling by the rmdir method. Attackers can delete arbitrary files by using “…/” directory traversal.

Affected configurations

NVD

Node

shopxoshopxoMatch1.2.0

CPENameOperatorVersion
shopxo:shopxoshopxoeq1.2.0

CPE	Name	Operator	Version
shopxo:shopxo	shopxo	eq	1.2.0

References

github.com/gongfuxiang/shopxo/issues/2

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

43.7%

JSON

Related for CVE-2019-5887

cvelist1 nvd1 osv1 prion1