CVE-2019-5887
ShopXO 1.2.0 is affected. In FileUtil.php’s UnlinkDir, input parameters are not validated, allowing directory traversal via "../" to induce rmdir to delete arbitrary files. This results in potential partial/complete file deletion and is mitigated only by proper input validation; no patch/version ...