2 matches found
Arbitrary file deletion
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. If the attacker deletes config.php and visits install/index.php, they can reinstall the product...
CVE-2018-16774
CVE-2018-16774 concerns HongCMS 3.0.0, where an improper validation in the file parameter enables directory traversal to delete files via admin/index.php/language/ajax?action=delete (and related path admin/index.php/database/ajax?action=delete). The underlying issue is a traversal vulnerability t...