An issue was discovered in BageCMS 3.1.3. An attacker can delete any files and folders on the web server via an index.php?r=admini/template/batch&command=deleteFile&fileName= or index.php?r=admini/template/batch&command=deleteFolder&folderName=../ directory traversal URI.

No comments yet.

Leave a Reply

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 1,338,688 bad guys.