JVN#48443978: a-blog cms vulnerable to directory traversal

a-blog cms provided by appleple Inc. is a content management system (CMS). a-blog cms contains a directory traversal vulnerability (CWE-22).

Impact

A user with editor or higher privilege who can log in to the product may obtain arbitrary files on the server including password files.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply the workaround
Removing the following file may mitigate the impact of this vulnerability.

• php/ACMS/POST/PingWeblogUpdate.php
  For more information, refer to the information provided by the developer.

Products Affected

• a-blog cms Ver.3.1.x series versions Ver.3.1.9 and earlier
• a-blog cms Ver.3.0.x series versions Ver.3.0.30 and earlier
• a-blog cms Ver.2.11.x series versions Ver.2.11.59 and earlier
• a-blog cms Ver.2.10.x series versions Ver.2.10.51 and earlier
  According to the developer, a-blog cms Ver.2.9 and earlier versions which are now unsupported, are affected by the vulnerabilities as well.