Pedro Ribeiro has discovered a vulnerability in ImpressCMS, which can be exploited by malicious users or malicious people to manipulate certain data.
Input passed via the "image_path" GET parameter to libraries/image-editor/image-edit.php (when "op" is set to "cancel") is not properly verified before being used to delete files. This can be exploited to delete arbitrary files via directory traversal sequences.
Successful exploitation requires authenticated access in version 1.3.6.
The vulnerability is confirmed in versions 1.3.5, 1.3.6, and 18.104.22.168. Other versions may also be affected.
Solution: The vendor has released a fix in version 1.3.6, however, the fix is only partially effective. No official solution is currently available.
Provided and/or discovered by: Pedro Ribeiro
Original Advisory: ImpressCMS:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org