JVNVU#93628467: WonderCMS vulnerable to directory traversal

Overview

WonderCMS contains a directory traversal vulnerability.

Products Affected

WonderCMS 2.6.0 and earlier

Description

WonderCMS contains a directory traversal vulnerability (CWE-22).

Note that the original fix for this vulnerability was insufficient (CVE-2018-7172). However, an updated version of the software, which completely addressed this vulnerability has been released by the developer.

Impact

Arbitrary files on the server may be deleted by a user.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
WonderCMS	WonderCMS

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Base Score: 6.4

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:N

Base Score: 5.5

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Sosuke Tokuda reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2019-5956
JVN iPedia

JVNVU#93628467 WonderCMS vulnerable to directory traversal